CVE-2019-14788

Name of the Vulnerable Software and Affected Versions Tribulant Newsletters plugin versions prior to 4.6.19

Description The issue allows directory traversal with resultant remote PHP code execution. This is achieved via the subscribers[1][1] parameter in conjunction with an exportfile=../ value in the "/wp-admin/admin-ajax.php?action=newsletters exportmultiple" API endpoint.

Recommendations For versions prior to 4.6.19, update to version 4.6.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/wp-admin/admin-ajax.php?action=newsletters exportmultiple" API endpoint to minimize the risk of exploitation. Avoid using the subscribers[1][1] parameter and the exportfile parameter with a value of "../" in the affected API endpoint until the issue is resolved.