13 results (0.011 seconds)

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1

09 Jun 2025 — The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). El complemento Newsletter de WordPress anterior a la versión 8.85 no depura ni escapa de algunas de las configuraciones de formulario, lo que podría permitir a usuarios con privilegios elevados, como el administrador, reali... • https://wpscan.com/vulnerability/19db8521-8dff-48c5-b21a-1001895292e0 •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1

19 May 2025 — The Newsletter WordPress plugin before 8.8.5 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). El complemento Newsletter de WordPress anterior a la versión 8.8.5 no valida ni escapa algunas de las opciones de su widget antes de mostrarlas nuevament... • https://wpscan.com/vulnerability/2d96f018-510d-40ab-9e73-76fa44784813 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1

13 May 2025 — The Newsletter WordPress plugin before 8.8.2 does not sanitise and escape some of its Subscription settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.8.1 due to insufficient input sanitiz... • https://wpscan.com/vulnerability/76937bdd-7ffa-4b5e-ade1-60da095a03a3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1

14 Apr 2025 — The Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the preheader_text value in versions up to, and including, 8.7.0 due to insufficient input sanitization and output escaping. This makes it pos... • https://wpscan.com/vulnerability/a6582e14-e21e-48e7-9b4c-0044fb199825 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

10 Jan 2025 — The WordPress Email Newsletter WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. The WordPress Email Newsletter plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject... • https://wpscan.com/vulnerability/eac71f70-993e-4353-8550-affb24c61c02 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 23%CPEs: 1EXPL: 1

24 Oct 2024 — The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit WordPress plugin before 3.3.0 does not sanitize and escape the bwfan-track-id parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to SQL Injection via the 'bwfan-track-id' parameter in all versions up to, and ... • https://wpscan.com/vulnerability/fab29b59-7e87-4289-88dd-ed5520260c26 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1

26 Apr 2024 — The ENL Newsletter WordPress plugin through 1.0.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admin+ to perform SQL injection attacks El complemento ENL Newsletter de WordPress hasta la versión 1.0.1 no sanitiza ni escapa un parámetro antes de usarlo en una declaración SQL, lo que permite a admin+ realizar ataques de inyección SQL. The ENL Newsletter plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.... • https://wpscan.com/vulnerability/7740646d-f3ea-4fc7-b35e-8b4a6821e178 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

25 Apr 2024 — The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack The Newsletter Popup plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the wp_newsletter_show_items page. This makes it possible for unauthenticated attackers to delete lists via a forged request granted they can tri... • https://wpscan.com/vulnerability/698277e6-56f9-4688-9a84-c2fa3ea9f7dc • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2

25 Apr 2024 — The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins The Newsletter Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nl_data' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that wi... • https://github.com/kva55/CVE-2024-36416 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

25 Apr 2024 — The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) The Newsletter Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it p... • https://wpscan.com/vulnerability/10eb712a-d9c3-46c9-be6a-02811396fae8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •