CVE-2025-54034: 
WordPress vulnerability analysis and mitigation

CVE-2025-54034 is a Local File Inclusion vulnerability discovered in the Tribulant Software Newsletters WordPress plugin affecting all versions up to and including 4.10. The vulnerability was discovered by Nguyen Xuan Chien and was publicly disclosed on July 29, 2025 (Patchstack, Rapid7).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program (CWE-98). It has been assigned a CVSS v3.1 Base Score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating that it can be exploited remotely with high attack complexity, requires no privileges, but does need user interaction (Patchstack).

This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to the execution of any PHP code in those files. Attackers can bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. Files containing credentials, such as database configurations, could be exposed, potentially leading to complete database takeover depending on the configuration (Rapid7, Patchstack).

Users are strongly advised to update to version 4.11 or later of the Newsletters plugin to resolve this vulnerability. For temporary mitigation, Patchstack has issued a virtual patch to block potential attacks until the update can be applied (Patchstack).