The Newsletter plugin for WordPress, with over 300,000 active installations, is widely adopted for managing subscriptions, creating automated campaigns, and personalizing subscriber experiences. However, a severe security flaw—CVE-2025-3584—has been discovered in the plugin’s subscription settings, specifically in its “Welcome page content” feature. This vulnerability allows users with Editor privileges to inject malicious JavaScript into the global “Welcome page” template. When unsuspecting visitors or administrators land on any post or page displaying the Welcome content, the injected script executes, opening the door to full account takeover via a persistent backdoor.
| CVE | CVE-2025-3584 |
| Newsletter – Send awesome emails from WordPress < 8.7.1 | |
| Critical | High |
| All Time | 30 838 157 |
| Active installations | 300 000+ |
| Publicly Published | May 30, 2025 |
| Last Updated | May 30, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3584 https://wpscan.com/vulnerability/76937bdd-7ffa-4b5e-ade1-60da095a03a3/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| February 18, 2025 | Plugin testing and vulnerability detection in the Newsletter – Send awesome emails from WordPress have been completed |
| February 18, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| May 30, 2025 | Registered CVE-2025-3584 |
Discovery of the Vulnerability
During a comprehensive security review of the Newsletter plugin’s settings screens, it was observed that the “Welcome page content” field did not properly sanitize HTML input before storing it in the database. By toggling off the “Customize” option and inserting raw HTML with embedded onerror event handlers, an attacker with only Editor-level access could persistently store JavaScript that would be rendered on every visitor’s page load. The vulnerability was confirmed by injecting a simple <img src=x onerror=alert(1)> payload, which executed automatically upon page access, demonstrating the absence of output escaping.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) remains one of the most prevalent vulnerabilities in WordPress due to its plugin-rich architecture and frequent reliance on user-generated content. Stored XSS in particular is dangerous because malicious scripts are saved server-side and repeatedly executed for any user viewing the affected page. Historically, similar flaws in other newsletter and form plugins have led to data breaches, session hijacking, and unauthorized administrative actions. For example, CVE-2024-11924 in the Email Subscribers plugin allowed editors to embed scripts in confirmation messages, leading to cookie theft. CVE-2025-3584 follows the same pattern, exploiting trusted Admin settings to execute unauthorized code.
Exploiting the XSS Vulnerability
To exploit CVE-2025-3584, an attacker with editor+ privileges:
POC:
1) Create a new page/post with form of this plugin and send any Data in it 2) Go to settings of Subscription 127.0.0.1/wordpress/wp-admin/admin.php?page=newsletter_subscription_options 3) Change "Welcome page content" to <img src=x onerror=alert(1)> and toggle off "Customize" button 4) To trigger XSS tou should go to the page from first step (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The implications of CVE-2025-3584 are severe and far-reaching. By elevating a low-trust Editor account to effectively plant persistent XSS, an attacker can hijack admin sessions, steal cookies, and use the Newsletter plugin’s own REST API to provision new admin users. In real-world settings, compromised sites could see unauthorized changes to site content, deployment of malware, redirection to phishing domains, data exfiltration, or complete defacement. Given the plugin’s large install base, the vulnerability poses a widespread risk, especially for multi-author blogs, corporate sites, and membership platforms that rely heavily on subscription management.
Recommendations for Improved Security
To mitigate this vulnerability:
- Update Immediately: Apply the Newsletter plugin patch that addresses CVE-2025-3584 as soon as it is available.
- Sanitize Inputs: Plugin developers must enforce rigorous sanitization on all HTML input fields using functions like
wp_kses_post()andesc_html()before saving to the database. - Escape Outputs: Always escape dynamic content on frontend render with
esc_html()orwp_kses()based on context. - Restrict Editor Capabilities: Limit the
unfiltered_htmlcapability to Administrators only, preventing Editors from embedding raw HTML. - Implement CSP & WAF: Deploy a Content Security Policy to block inline scripts and use a Web Application Firewall to detect and block XSS payloads.
- Audit and Monitor: Regularly audit plugin settings and monitor site logs for suspicious changes to subscription templates.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-3584, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.