WordPress MailPoet Newsletters (wysija-newsletters) unauthenticated file upload
Description
The MailPoet Newsletters plugin (wysija-newsletters) for WordPress versions prior to 2.6.8 contains an unauthenticated file upload vulnerability in its theme upload functionality. Attackers can exploit this weakness by uploading a malicious ZIP archive containing PHP code without requiring authentication, bypassing security controls that should restrict file uploads to authorized administrators only.
Remediation
Immediately upgrade the MailPoet Newsletters plugin to version 2.6.8 or later through the WordPress admin dashboard (Plugins > Installed Plugins > MailPoet Newsletters > Update). If automatic updates are unavailable, manually download version 2.6.8+ from the official WordPress plugin repository and install it via FTP. After upgrading, review server logs and file system for any suspicious PHP files uploaded during the vulnerable period, particularly in the plugin's theme directory. Consider implementing web application firewall (WAF) rules to block unauthorized file uploads and restrict access to plugin administration functions to authenticated users only.