Vulnerabilities and security researches fornewsletter newsletter

Jun 07, 2024

CVE, Research URL: CVE-2022-1756
Home page URL: Security reports for Newsletter – Send awesome emails from WordPress
Application: Newsletter – Send awesome emails from WordPress
Date: Jun 13, 2022
Research Description: The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2020-35932
Home page URL: Security reports for Newsletter – Send awesome emails from WordPress
Application: Newsletter – Send awesome emails from WordPress
Date: Jan 01, 2021
Research Description: Insecure Deserialization in the Newsletter plugin before 6.8.2 for WordPress allows authenticated remote attackers with minimal privileges (such as subscribers) to use the tpnc_render AJAX action to inject arbitrary PHP objects via the options[inline_edits] parameter. NOTE: exploitability depends on PHP objects that might be present with certain other plugins or themes.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2020-35933
Home page URL: Security reports for Newsletter – Send awesome emails from WordPress
Application: Newsletter – Send awesome emails from WordPress
Date: Jan 01, 2021
Research Description: A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpc_render AJAX request containing either JavaScript in an options parameter, or a base64-encoded JSON string containing JavaScript in the encoded_options parameter.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-1889
Home page URL: Security reports for Newsletter – Send awesome emails from WordPress
Application: Newsletter – Send awesome emails from WordPress
Date: Jun 20, 2022
Research Description: The Newsletter WordPress plugin before 7.4.6 does not escape and sanitise the preheader_text setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-27922
Home page URL: Security reports for Newsletter – Send awesome emails from WordPress
Application: Newsletter – Send awesome emails from WordPress
Date: May 23, 2023
Research Description: Cross-site scripting vulnerability in Newsletter versions prior to 7.6.9 allows a remote unauthenticated attacker to inject an arbitrary script.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-30522
Home page URL: Security reports for Newsletter – Send awesome emails from WordPress
Application: Newsletter – Send awesome emails from WordPress
Date: May 17, 2024
Research Description: Authentication Bypass by Spoofing vulnerability in Stefano Lissa & The Newsletter Team Newsletter allows Functionality Bypass.This issue affects Newsletter: from n/a through 8.2.0.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-31434
Home page URL: Security reports for Newsletter – Send awesome emails from WordPress
Application: Newsletter – Send awesome emails from WordPress
Date: Apr 15, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Stefano Lissa & The Newsletter Team Newsletter.This issue affects Newsletter: from n/a through 8.0.6.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-5317
Home page URL: Security reports for Newsletter – Send awesome emails from WordPress
Application: Newsletter – Send awesome emails from WordPress
Date: Jun 05, 2024
Research Description: The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'np1' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-4772
Home page URL: Security reports for Newsletter – Send awesome emails from WordPress
Application: Newsletter – Send awesome emails from WordPress
Date: Sep 07, 2023
Research Description: The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'newsletter_form' shortcode in versions up to, and including, 7.8.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

May 07, 2025

CVE, Research URL: CVE-2025-3583
Home page URL: Security reports for Newsletter – Send awesome emails from WordPress
Application: Newsletter – Send awesome emails from WordPress
Date: May 05, 2025
Research Description: The Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected versions: Min -, max -.
Status: vulnerable