The Newsletter plugin for WordPress, with over 300,000 active installations, is widely adopted for managing subscriptions, creating automated campaigns, and personalizing subscriber experiences. However, a severe security flaw—CVE-2025-3584—has been discovered in the plugin’s subscription settings, specifically in its “Welcome page content” feature. This vulnerability allows users with Editor privileges to inject malicious JavaScript into the global “Welcome page” template. When unsuspecting visitors or administrators land on any post or page displaying the Welcome content, the injected script executes, opening the door to full account takeover via a persistent backdoor.
CVE-2025-3584 – Newsletter – Stored XSS to JS Backdoor Creation – POC
