CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2009 – Newsletters <= 4.9.9.7 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2025-2009
25 Mar 2025 — The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the logging functionality in all versions up to, and including, 4.9.9.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/browser/newsletters-lite/trunk/views/admin/settings/view_logs.php?rev=3212300#L107 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13739 – Newsletters <= 4.9.9.7 - Reflected Cross-Site Scripting via To Parameter
https://notcve.org/view.php?id=CVE-2024-13739
21 Mar 2025 — The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the "to" parameter in all versions up to, and including, 4.9.9.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an admin user into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/newsletters-lite/tags/4.9.9.7/views/admin/history/view.php#L48 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10181 – Newsletters <= 4.9.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via newsletters_video Shortcode
https://notcve.org/view.php?id=CVE-2024-10181
28 Oct 2024 — The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's newsletters_video shortcode in all versions up to, and including, 4.9.9.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/changeset/3175816 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8247 – Newsletters <= 4.9.9.2 - Authenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-8247
05 Sep 2024 — The Newsletters plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.9.9.2. This is due to the plugin not restricting what user meta can be updated as screen options. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator. Please note that this only affects users with access to edit/update screen options, which means an administrator would need to grant lower privilege ... • https://plugins.trac.wordpress.org/browser/newsletters-lite/tags/4.9.9.1/wp-mailinglist.php#L3279 • CWE-269: Improper Privilege Management •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7411 – Newsletters <= 4.9.9 - Unauthenticated Full Path Disclosure
https://notcve.org/view.php?id=CVE-2024-7411
14 Aug 2024 — The Newsletters plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 4.9.9. This is due the plugin not preventing direct access to the /vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected w... • https://plugins.trac.wordpress.org/browser/newsletters-lite/trunk/vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37227 – WordPress Newsletters plugin <= 4.9.7 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-37227
21 Jun 2024 — Cross Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters.This issue affects Newsletters: from n/a through 4.9.7. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Tribulant Newsletters. Este problema afecta a Newsletters: desde n/a hasta 4.9.7. The Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.9.7. This is due to missing or incorrect nonce validation on the admin_subscribers() function. • https://patchstack.com/database/vulnerability/newsletters-lite/wordpress-newsletters-plugin-4-9-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4797 – Newsletter Lite < 4.9.3 - Admin+ Command Injection
https://notcve.org/view.php?id=CVE-2023-4797
05 Oct 2023 — The Newsletters WordPress plugin before 4.9.3 does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server. El complemento Newsletters de WordPress anterior a 4.9.3 no escapa adecuadamente a los parámetros controlados por el usuario cuando se agregan a consultas SQL y comandos de shell, lo que podría permitir a un administrador ejecutar comandos arbitrarios en el servidor. The Newslet... • https://wpscan.com/vulnerability/de169fc7-f388-4abb-ab94-12522fd1ac92 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30478 – WordPress Newsletters Plugin <= 4.8.8 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-30478
13 Apr 2023 — Cross-Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters plugin <= 4.8.8 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Tribulant Newsletters en versiones <= 4.8.8. The Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.8.8. This is due to missing nonce validation on several cases in several functions like admin_groups() and admin_forms(). This makes it possible for unauthenticated attackers to ... • https://patchstack.com/database/vulnerability/newsletters-lite/wordpress-newsletters-plugin-4-8-8-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2019-14787 – Newsletters <= 4.6.18 - Cross-Site Scripting via contentarea Parameter
https://notcve.org/view.php?id=CVE-2019-14787
01 Jul 2019 — The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter. El plugin Tribulant Newsletters en versiones anteriores a 4.6.19 para WordPress, permite un ataque de tipo XSS por medio del parámetro contentarea de wp-admin/admin-ajax.php?action=newsletters_load_new_editor. • https://wordpress.org/plugins/newsletters-lite/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2019-14788 – Newsletters <= 4.6.18 - Directory Traversal
https://notcve.org/view.php?id=CVE-2019-14788
01 Jul 2019 — wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value. El archivo wp-admin/admin-ajax.php?action=newsletters_exportmultiple en el plugin Tribulant Newsletters versiones anteriores a 4.6.19 para WordPress, permite un salto de directorio con ejecución de código PHP remota resultante por medio del ... • https://wordpress.org/plugins/newsletters-lite/#developers • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •