The Newsletter plugin remains one of the most installed WordPress subscription solutions, with over 300,000 installations powering email campaigns and subscription forms worldwide. Despite its robust feature set—such as drag-and-drop form creation and subscriber management—a severe security flaw has been identified: CVE-2025-3582. This vulnerability allows a user with Editor-level privileges to inject persistent JavaScript into the form configuration itself. Once embedded, the malicious code will execute in any administrator’s or visitor’s browser when they view the affected form, providing attackers with a potent avenue to create backdoors and take over accounts.
| CVE | CVE-2025-3582 |
| Newsletter – Send awesome emails from WordPress < 8.7.5 | |
| Critical | High |
| All Time | 30 838 157 |
| Active installations | 300 000+ |
| Publicly Published | May 30, 2025 |
| Last Updated | May 30, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3582 https://wpscan.com/vulnerability/19db8521-8dff-48c5-b21a-1001895292e0/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| February 18, 2025 | Plugin testing and vulnerability detection in the Newsletter – Send awesome emails from WordPress have been completed |
| February 18, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| May 30, 2025 | Registered CVE-2025-3584 |
Discovery of the Vulnerability
While performing a security audit of the Newsletter plugin’s form management endpoints, researchers uncovered that the form title field does not sanitize HTML input. In particular, when an editor renames a saved form—accessible at /wp-admin/admin.php?page=newsletter_subscription_forms—they can embed <img src=x onerror=…> tags. Because the plugin trusts this input and outputs it directly in the shortcode-rendered form, the injected JavaScript is stored in the database and executed on every page where the form is embedded, demonstrating a classic Stored XSS weakness.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) remains a principal threat in WordPress security due to the platform’s extensibility and the prevalence of user-generated content. When an attacker can store a script on the server that executes in the context of other users’ browsers, the impact is magnified. In the past, similar vulnerabilities in newsletter and form plugins enabled attackers to hijack admin sessions, alter site content, or install malicious plugins. Robin Scott’s notorious XSS chain in 2021 used such persistence to completely compromise WordPress installations—underscoring how Stored XSS in a form title can be weaponized to devastating effect.
Exploiting the XSS Vulnerability
To exploit CVE-2025-3582, an attacker with editor+ privileges:
POC:
1) Create a new form 127.0.0.1/wordpress/wp-admin/admin.php?page=newsletter_subscription_forms "Form 1" 2) Change "Form 1" field to <img src=x onerror=alert(1)> 3) Create a new Page/Post with following shortcode - 4) To trigger XSS tou should go to the page (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
This vulnerability presents a serious risk to site integrity. An attacker could use the stored XSS to:
- Hijack administrator sessions by stealing cookies.
- Create new admin accounts via the WordPress REST API silently.
- Inject malicious JavaScript, redirecting visitors to phishing domains or pulling in crypto-mining scripts.
In a multi-author or multi-editor environment—such as news sites, corporate blogs, or membership platforms—even a single compromised editor account can become the entry point for a complete takeover, data exfiltration, or customer credential theft.
Recommendations for Improved Security
To mitigate CVE-2025-3582:
- Update the Newsletter plugin immediately to the patched version once released.
- Sanitize all form title and label fields using
esc_html()orwp_kses()to strip script tags. - Restrict the
unfiltered_htmlcapability so that only Administrators can input HTML in form settings. - Implement a strong Content Security Policy (CSP) to block inline JavaScript execution.
- Monitor form configurations and audit logs for unauthorized title changes or suspicious HTTP requests.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-3582, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.