CVE-2019-14788

HIGH

Tribulant Newsletters < 4.6.19 - Path Traversal and Remote Code Execution via Export Subscribers Parameter

Title source: llm
STIX 2.1

Description

wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value.

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.0371
EPSS Percentile 88.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-22
Status published
Products (1)
tribulant/newsletters < 4.6.19
Published Aug 15, 2019
Tracked Since Feb 18, 2026