CVE-2020-35933 – Newsletter <= 6.8.1 - Reflected Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2020-35933

A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpc_render AJAX request containing either JavaScript in an options parameter, or a base64-encoded JSON string containing JavaScript in the encoded_options parameter. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Autenticado Reflejado en el plugin Newsletter versiones anteriores a 6.8.2 para WordPress permite a atacantes remotos engañar a una víctima para enviar una petición AJAX de tnpc_render que contenga JavaScript en un parámetro de opciones o una cadena JSON codificada en base64 que contenga JavaScript en el parámetro encoded_options. • https://www.wordfence.com/blog/2020/08/newsletter-plugin-vulnerabilities-affect-over-300000-sites • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •