Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins
1. Make sure there is a newsletter configured with the setting “Email Service > Save to local database” 2. When not logged in, use an HTML file where `` is a valid newsletter ID:
3. Go to “Newsletter Popup > Local Record” 4. Select “Show Record” and see the XSS