Advisory CVE-2023-28731, Unauthenticated RCE affecting the AcyMailing plugin for Joomla

CVE ID: CVE-2023-28731 

Vendor: AcyMailing 

Product: Newsletter Plugin for Joomla in the Enterprise version 

Title: Unauthenticated RCE affecting the AcyMailing plugin for Joomla 

Vulnerable Versions: < 8.3.0 

 

Problem Type (CWE) 

Impacts (CAPEC): CAPEC-242 Code Injection 

 

CVSS 3.1 

 

References 

 

CVE Description: 

Introduction: 

AcyMailing is a newsletter and email marketing plugin available for Joomla and WordPress. 

 

The vulnerability: 

Unrestricted upload of files allows PHP code to be injected, leading to unauthenticated remote code execution, when being granted access to the campaign’s creation on front-office. 

This issue affects AnyMailing Joomla Plugin in versions below 8.3.0. 

 

The steps to exploit the vulnerability: 

 

How to check for exploitation: 

 

Solution: 

 

Workaround: 

 

Timeline: 

 

Credits: