CVE-2025-3582

The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-3581

CVE-2025-3581 affects the Newsletter WordPress plugin (versions prior to 8.8.5). The issue is a failure to validate/escape certain Widget options before output, enabling a stored XSS when the block is embedded on a page/post, potentially exploitable by high-privilege users such as admins, includi...

CVE-2022-1889

The Newsletter WordPress plugin before 7.4.6 does not escape and sanitise the preheadertext setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed...

CVE-2022-1756

The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $SERVER'REQUESTURI' before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as...