CVE-2023-28731 CRITICAL

CVE-2023-28731: Unauthenticated RCE affecting the AcyMailing plugin for Joomla

Vendor Acymailing
Product Newsletter Plugin for Joomla in the Enterprise version
Weakness CWE-20 · Input validation
Published March 30, 2023
Last update February 11, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.

Key dates

02Disclosure timeline

March 30, 2023 CVE published
February 11, 2025 Record updated