CVE-2014-4725
EXPLOITEDMailPoet Newsletters <2.6.7 - Auth Bypass
Title source: llmDescription
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.
Exploits (4)
metasploit
WORKING POC
EXCELLENT
by Marc-Alexandre Montpas, Christian Mehlmauer · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb
exploitdb
WORKING POC
VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/33991
References (6)
Scores
EPSS
0.8179
EPSS Percentile
99.2%
Exploitation Intel
VulnCheck KEV
2022-12-05
Classification
CWE
CWE-287
Status
draft
Affected Products (50)
mailpoet/mailpoet_newsletters
< 2.6.6
mailpoet/mailpoet_newsletters
mailpoet/mailpoet_newsletters
mailpoet/mailpoet_newsletters
mailpoet/mailpoet_newsletters
mailpoet/mailpoet_newsletters
mailpoet/mailpoet_newsletters
mailpoet/mailpoet_newsletters
mailpoet/mailpoet_newsletters
mailpoet/mailpoet_newsletters
mailpoet/mailpoet_newsletters
mailpoet/mailpoet_newsletters
mailpoet/mailpoet_newsletters
mailpoet/mailpoet_newsletters
mailpoet/mailpoet_newsletters
... and 35 more
Timeline
Published
Jul 27, 2014
Tracked Since
Feb 18, 2026