CVSS: 6.1EPSS: 4%CPEs: 1EXPL: 1CVE-2022-1756 – Newsletter < 7.4.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1756
23 May 2022 — The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below. El plugin Newsletter de WordPress versiones anteriores a 7.4.5, no sanea y escapa el $_SERVER["REQUEST_URI"] antes de devolverlo en las páginas de administración. Aunque esto usa adds... • https://wpscan.com/vulnerability/6ad407fe-db2b-41fb-834b-dd8c4f62b072 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38302
https://notcve.org/view.php?id=CVE-2021-38302
13 Aug 2021 — The Newsletter extension through 4.0.0 for TYPO3 allows SQL Injection. La extensión Newsletter versiones hasta 4.0.0 para TYPO3, permite una inyección SQL. • https://typo3.org/help/security-advisories • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-35933 – Newsletter <= 6.8.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-35933
03 Aug 2020 — A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpc_render AJAX request containing either JavaScript in an options parameter, or a base64-encoded JSON string containing JavaScript in the encoded_options parameter. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Autenticado Reflejado en el plugin Newsletter versiones anteriores a 6.8.2 para WordPress permite a atacantes re... • https://www.wordfence.com/blog/2020/08/newsletter-plugin-vulnerabilities-affect-over-300000-sites • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2020-35932 – Newsletter <= 6.8.1 - Authenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2020-35932
02 Aug 2020 — Insecure Deserialization in the Newsletter plugin before 6.8.2 for WordPress allows authenticated remote attackers with minimal privileges (such as subscribers) to use the tpnc_render AJAX action to inject arbitrary PHP objects via the options[inline_edits] parameter. NOTE: exploitability depends on PHP objects that might be present with certain other plugins or themes. Una Deserialización No Segura en el plugin Newsletter versiones anteriores a 6.8.2 para WordPress, permite a atacantes remotos autenticados... • https://www.wordfence.com/blog/2020/08/newsletter-plugin-vulnerabilities-affect-over-300000-sites • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 15%CPEs: 1EXPL: 2CVE-2006-3986 – NewsLetter 3.5 - 'NL_PATH' Remote File Inclusion
https://notcve.org/view.php?id=CVE-2006-3986
05 Aug 2006 — PHP remote file inclusion vulnerability in index.php in Knusperleicht Newsletter 3.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the NL_PATH parameter. Vulnerabilidad PHP de inclusión remota de archivo en index.php en Knusperleicht Newsletter 3.5 y anteriores permite a atacantes remotos ejecutar código PHP de su elección a través de una URL en el parámetro NL_PATH. • https://www.exploit-db.com/exploits/2097 •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2006-1533
https://notcve.org/view.php?id=CVE-2006-1533
30 Mar 2006 — SQL injection vulnerability in newsletter.php in Sourceworkshop newsletter 1.0 allows remote attackers to execute arbitrary SQL commands via the newsletteremail parameter. • http://evuln.com/vulns/107/summary.html •