Newsletter@* Security Vulnerabilities and Issues — Newsletter@* CVE List

Lucene search

ThenewsletterpluginNewsletter*

10 matches found

CVE•added 2023/09/07 2:15 a.m.•111 views

CVE-2023-4772

The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'newsletter_form' shortcode in versions up to, and including, 7.8.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers wit...

6.4CVSS5AI score0.0009EPSS

CVE•added 2021/01/01 2:15 a.m.•83 views

CVE-2020-35933

A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpc_render AJAX request containing either JavaScript in an options parameter, or a base64-encoded JSON string containin...

6.5CVSS6.1AI score0.00124EPSS

CVE•added 2022/06/13 1:15 p.m.•82 views

CVE-2022-1756

The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as ...

6.1CVSS5.9AI score0.03183EPSS

CVE•added 2022/06/20 11:15 a.m.•59 views

CVE-2022-1889

The Newsletter WordPress plugin before 7.4.6 does not escape and sanitise the preheader_text setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed

4.8CVSS4.7AI score0.00214EPSS

CVE•added 2023/05/23 2:15 a.m.•55 views

CVE-2023-27922

Cross-site scripting vulnerability in Newsletter versions prior to 7.6.9 allows a remote unauthenticated attacker to inject an arbitrary script.

6.1CVSS6.1AI score0.07483EPSS

CVE•added 2025/06/09 6:15 a.m.•46 views

CVE-2025-3581

The Newsletter WordPress plugin before 8.8.5 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html...

4.8CVSS5.5AI score0.0004EPSS

CVE•added 2025/06/09 6:15 a.m.•43 views

CVE-2025-3582

The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8CVSS5.4AI score0.0004EPSS

CVE•added 2024/06/05 2:15 a.m.•42 views

CVE-2024-5317

The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'np1' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pa...

6.4CVSS6AI score0.00307EPSS

CVE•added 2025/05/05 6:15 a.m.•39 views

CVE-2025-3583

The Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8CVSS5.4AI score0.00046EPSS

CVE•added 2025/06/03 6:15 a.m.•37 views

CVE-2025-3584

The Newsletter WordPress plugin before 8.8.2 does not sanitise and escape some of its Subscription settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8CVSS5.7AI score0.0004EPSS