cbcvebase.
CVE-2014-4725
published 2014-07-27

CVE-2014-4725: The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code…

PriorityP183high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
59.68%
99.0th percentile
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

Affected

68 ranges· showing 25
VendorProductVersion rangeFixed in
mailpoetmailpoet_newsletters<= 2.6.6
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters
mailpoetmailpoet_newsletters

Detection & IOCsextracted from sources · hover to see the quote

urlwp-admin/admin-post.php
pathwp-content/uploads/wysija/themes/mailp/
pathwp-content/plugins/wysija-newsletters/readme.txt
urladmin.php?page=wysija_campaigns&action=themes&reload=1&redirect=1
  • Detect unauthenticated POST requests to wp-admin/admin-post.php with GET parameters page=wysija_campaigns&action=themes — this is the exploit's upload vector, abusing the admin_init hook accessible without authentication.
  • Alert on POST requests where the POST body parameter does NOT begin with 'wysija_' while GET parameter 'page' equals 'wysija_campaigns' — this is the bypass technique exploiting PHP $_REQUEST POST-over-GET precedence.
  • Monitor for ZIP file uploads to the MailPoet theme upload endpoint followed by HTTP GET requests to wp-content/uploads/wysija/themes/ — indicates payload staging and execution.
  • Flag any new PHP files appearing under wp-content/uploads/wysija/themes/ — this path should not contain executable PHP and indicates successful exploitation.
  • ·The authentication bypass only works in PHP's default configuration where POST variables overwrite GET variables in $_REQUEST. Non-default PHP configurations may not be vulnerable to the 2.6.7 bypass variant.
  • ·Version 2.6.7 attempted a fix but remained bypassable; the complete fix was applied in 2.6.8 and backported to all previous versions. Detection rules should treat both 2.6.7 and earlier as vulnerable.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.