WordPress Newsletters Plugin Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the Newsletters plugin for WordPress, affecting all versions through 4.9.9.9. The vulnerability arises from the 'file' parameter, allowing authenticated attackers with Administrator-level access to include and execute arbitrary files on the server. This exploitation could lead to unauthorized execution of PHP code, bypassing access controls, and accessing sensitive data. Additionally, in scenarios where 'safe' file types like images can be uploaded, this vulnerability could facilitate code execution.

Impact

Exploitation of this vulnerability allows for local file inclusion, with the potential execution of arbitrary PHP code from the included files. This could be used to bypass access controls, access sensitive information, or execute code in cases where 'safe' file types can be uploaded and included.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can upload a file containing PHP code, such as a .jpg file renamed to .php. After uploading, the file can be included through the 'wpmlmethod=exportdownload' parameter, which triggers the execution of the PHP code on the server.

Remediation

Users are advised to update the Newsletters plugin to version 4.10 or later.