CVE-2014-4725

Name of the Vulnerable Software and Affected Versions MailPoet Newsletters (wysija-newsletters) plugin versions prior to 2.6.7

Description The issue allows remote attackers to bypass authentication and execute arbitrary PHP code. This is achieved by uploading a crafted theme using the "wp-admin/admin-post.php" endpoint and then accessing the theme in "wp-content/uploads/wysija/themes/mailp/".

Recommendations For versions prior to 2.6.7, update to version 2.6.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/admin-post.php" endpoint and the "wp-content/uploads/wysija/themes/mailp/" directory to minimize the risk of exploitation.