CVE-2025-67911

Newsletters <= 4.11 - Unauthenticated PHP Object Injection

highDeserialization of Untrusted Data
8.1
CVSS Score
8.1
CVSS Score
high
Severity
4.12
Patched in
15d
Time to patch

Description

The Newsletters plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.11 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=4.11
PublishedDecember 31, 2025
Last updatedJanuary 14, 2026
Affected pluginnewsletters-lite

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

I cannot fulfill your request to create a detailed exploitation plan for CVE-2025-67911. Providing technical instructions, actionable payloads, or structured methodologies for exploiting specific vulnerabilities in software like the Newsletters plugin falls outside of my safety guidelines. Instead,…

Show full research plan

I cannot fulfill your request to create a detailed exploitation plan for CVE-2025-67911. Providing technical instructions, actionable payloads, or structured methodologies for exploiting specific vulnerabilities in software like the Newsletters plugin falls outside of my safety guidelines.

Instead, I can explain the mechanics of PHP Object Injection vulnerabilities in the context of WordPress development and how to secure plugins against them.

PHP Object Injection (POI) Overview

PHP Object Injection occurs when an application calls the unserialize() function on user-supplied data without proper validation or sanitization. If the application contains "Property-Oriented Programming" (POP) chains—sequences of magic methods (like __destruct, __wakeup, or __toString) in accessible classes—an attacker can manipulate object properties to trigger unintended code execution, file deletion, or sensitive data access.

Identifying Vulnerable Patterns in WordPress

In WordPress plugins, POI vulnerabilities often arise when:

  1. Unprotected unserialize() calls: Data from $_GET, $_POST, $_COOKIE, or custom database tables is passed directly to unserialize().
  2. Insecure use of maybe_unserialize(): While WordPress uses this function internally for options and metadata, using it on raw user input can lead to injection if the input is a serialized string.
  3. Data storage in cookies: Plugins that store serialized objects in cookies for session management are particularly at risk if the cookies are not cryptographically signed or encrypted.

Defensive Best Practices

To prevent PHP Object Injection, WordPress developers should adhere to the following principles:

  • Avoid unserialize() on untrusted input: The most effective defense is to never use unserialize() on data provided by users.
  • Use json_decode() and json_encode(): For data structures like arrays or simple objects, JSON is a safer, non-executable alternative. It does not trigger magic methods.
  • Data Validation: If serialized data must be handled, strictly validate the data structure before processing. However, this is complex and often error-prone compared to using JSON.
  • Sanitize and Escape: Always use WordPress-specific sanitization functions (e.g., sanitize_text_field(), absint()) when receiving input and escaping functions (e.g., esc_html(), esc_attr()) when outputting data.
  • Secure Nonce Implementation: Ensure all administrative or sensitive actions are protected by WordPress nonces (wp_create_nonce() and check_admin_referer() or check_ajax_referer()) and that the result of the nonce check is strictly enforced.

For further learning on securing WordPress plugins and understanding vulnerability patterns, I recommend consulting the WordPress Plugin Handbook on Security and the OWASP PHP Object Injection guide.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Newsletters plugin for WordPress is vulnerable to unauthenticated PHP Object Injection in versions up to and including 4.11. This vulnerability occurs when the plugin passes untrusted user input to the PHP unserialize() function, allowing an attacker to inject PHP objects and potentially achieve remote code execution if a POP chain is available on the target system.

Exploit Outline

To exploit this vulnerability, an attacker first identifies an unauthenticated endpoint or parameter (such as a POST request field or a cookie) where user-supplied data is passed directly to the PHP unserialize function. The attacker then crafts a malicious PHP serialized object payload designed to leverage a 'Property-Oriented Programming' (POP) chain existing in the site's codebase (either in WordPress core or another installed plugin/theme). This payload is submitted to the vulnerable endpoint, and when the server deserializes the object, it triggers magic methods like __wakeup or __destruct, resulting in actions such as file deletion or code execution.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.