Security

The Newsletter plugin remains one of the most installed WordPress subscription solutions, with over 300,000 installations powering email campaigns and subscription forms worldwide. Despite its robust feature set—such as drag-and-drop form creation and subscriber management—a severe security flaw has been identified: CVE-2025-3582. This vulnerability allows a user with Editor-level privileges to inject persistent JavaScript into the form configuration itself. Once embedded, the malicious code will execute in any administrator’s or visitor’s browser when they view the affected form, providing attackers with a potent avenue to create backdoors and take over accounts.

The Newsletter plugin for WordPress, with over 300,000 active installations, is widely adopted for managing subscriptions, creating automated campaigns, and personalizing subscriber experiences. However, a severe security flaw—CVE-2025-3584—has been discovered in the plugin’s subscription settings, specifically in its “Welcome page content” feature. This vulnerability allows users with Editor privileges to inject malicious JavaScript into the global “Welcome page” template. When unsuspecting visitors or administrators land on any post or page displaying the Welcome content, the injected script executes, opening the door to full account takeover via a persistent backdoor.

Ninja Forms is a leading WordPress plugin enabling site owners to build advanced forms without coding, with over 700,000 active installations. Despite its popularity and feature richness, a critical vulnerability—CVE-2025-2560—was discovered, allowing users with Editor-level privileges to inject persistent JavaScript into form configurations. This stored XSS can escalate to a full account takeover backdoor, jeopardizing the security of any site using Ninja Forms.

Ninja Forms is one of the most widely used WordPress plugins for creating contact forms with over 700,000 active installations. Its user-friendly drag-and-drop interface makes it a favorite among both developers and non-technical users. However, in the process of a routine plugin security audit, we discovered a critical vulnerability that permits Stored Cross-Site Scripting (XSS), allowing a contributor or editor to inject malicious JavaScript and potentially establish a persistent backdoor, leading to complete account takeover.

WordPress plugins play a vital role in extending the platform’s capabilities, yet they are frequently a weak point in site security. One such case is the Kali Forms plugin, a drag-and-drop form builder currently active on over 30,000 installations. A critical vulnerability, now assigned CVE-2025-3201, was discovered in the plugin that permits users with only Contributor-level privileges to inject and store malicious JavaScript. This XSS payload can be used to hijack administrator sessions, ultimately leading to the creation of rogue admin accounts and full site compromise.

Cross-Site Scripting (XSS) remains one of the most prevalent and dangerous vulnerabilities affecting WordPress plugins, especially those that allow user-generated content. In the Easy Contact Form Lite plugin (versions prior to 1.1.29), a stored XSS vulnerability was discovered that allows Contributor-level users to inject persistent JavaScript into the form’s placeholder field. This can lead to session hijacking, site defacement, and privilege escalation attacks if exploited by a malicious user.

The WordPress ecosystem is vast, with thousands of plugins extending its core functionality. However, the flexibility of these plugins can come at the cost of security if developers don’t adhere to strict input sanitization and output escaping practices. One such vulnerability was discovered in the popular Newsletter plugin, which is installed on over 300,000 websites. The issue, now identified as CVE-2025-3583, allows for Stored Cross-Site Scripting (XSS) that can be weaponized into a JavaScript backdoor, enabling attackers to hijack administrator accounts and compromise the entire site.