• Close
  • Back to search

    Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload

    The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8 is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme functionality to upload a zip file containing the payload. The plugin uses the admin_init hook, which is also executed for unauthenticated users when accessing a specific URL. The first fix for this vulnerability appeared in version 2.6.7, but the fix can be bypassed. In PHP's default configuration, a POST variable overwrites a GET variable in the $_REQUEST array. The plugin uses $_REQUEST to check for access rights. By setting the POST parameter to something not beginning with 'wysija_', the check is bypassed. Wordpress uses the $_GET array to determine the page, so it is not affected by this. The developers applied the fixes to all previous versions too.

    Free Metasploit Download

    Get your copy of the world's leading penetration testing tool

     Download Now

    Module Name



    • Marc-Alexandre Montpas
    • Christian Mehlmauer <FireFart [at] gmail.com>



    • wysija-newsletters < 2.6.8


    • php


    • php



    Module Options

    To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

    msf > use exploit/unix/webapp/wp_wysija_newsletters_upload msf exploit(wp_wysija_newsletters_upload) > show targets ...targets... msf exploit(wp_wysija_newsletters_upload) > set TARGET <target-id> msf exploit(wp_wysija_newsletters_upload) > show options ...show and set options... msf exploit(wp_wysija_newsletters_upload) > exploit