CVE-2026-12583
WordPress · Newsletters
The Newsletters WordPress plugin before 4.15 is vulnerable to unauthenticated PHP object injection via a public form, leading to arbitrary file write and remote code execution.
Executive summary
A critical deserialization vulnerability in the Newsletters WordPress plugin enables unauthenticated remote code execution and is currently being exploited in the wild.
Vulnerability
The plugin fails to prevent insecure deserialization of untrusted input stored through a public form, allowing unauthenticated attackers to inject malicious PHP objects and trigger a gadget chain to execute arbitrary code.
Business impact
This vulnerability is critical, as it allows unauthenticated attackers to gain full control over the affected WordPress environment. With a CVSS score of 8.1 and confirmed active exploitation, this flaw presents an immediate threat to data confidentiality, integrity, and availability.
Remediation
Immediate Action: Update the Newsletters plugin to version 4.15 or later immediately.
Proactive Monitoring: Monitor server logs for unusual POST requests directed at subscription forms and check for the creation of unauthorized or unexpected files on the filesystem.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block malicious serialized PHP objects.
Exploitation status
Public Exploit Available: No (no confirmed public exploit in available data)
Analyst recommendation
Given the active exploitation of this vulnerability and the potential for unauthenticated remote code execution, organizations must apply the 4.15 patch without delay. If an immediate update is not possible, disable the subscription form functionality until the patch is applied.