4 matches found
CVE-2020-35933
A Reflected Authenticated Cross-Site Scripting XSS vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpcrender AJAX request containing either JavaScript in an options parameter, or a base64-encoded JSON string containing...
CVE-2020-35933
A Reflected Authenticated Cross-Site Scripting XSS vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpcrender AJAX request containing either JavaScript in an options parameter, or a base64-encoded JSON string containing...
CVE-2020-35933
CVE-2020-35933 affects the WordPress Newsletter plugin prior to 6.8.2. A reflected, authenticated XSS can be triggered by submitting a tnpc_render AJAX request containing JavaScript in the options parameter or a base64-encoded JSON string with JavaScript in encoded_options. Impact is limited to t...
Newsletter < 6.8.2 - Authenticated Cross-Site Scripting (XSS)
Newsletter suffers from an Authenticated Reflected Cross-Site ScriptingXSS vulnerability via the ‘tnpcrender’ AJAX action found in newsletter/emails/emails.php. Due to how the corresponding ‘tnpcrendercallback‘ function decodes input via the ‘restoreoptionsfromrequest’ function and renders them v...