2 matches found
Newsletter < 7.4.5 - Cross-Site Scripting
The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $SERVER'REQUESTURI' before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as...
Newsletter < 7.6.9 - Cross-Site Scripting
The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as administrators id: CVE-2023-27922 info: name: Newsletter 7.6.9 - Cross-Site Scripting author: r3Y3r53 severity: medium...