Thenewsletterplugin Newsletter — known CVE vulnerabilities
Every CVE whose affected-product data names Thenewsletterplugin Newsletter, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (10)
CVE-2020-35933 — CVSS 6.5 (medium): A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote…
CVE-2024-5317 — CVSS 6.4 (medium): The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'np1' parameter in all versions up to, and…
CVE-2023-4772 — CVSS 6.4 (medium): The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'newsletter_form' shortcode in versions up to, and…
CVE-2023-27922 — CVSS 6.1 (medium): Cross-site scripting vulnerability in Newsletter versions prior to 7.6.9 allows a remote unauthenticated attacker to inject an arbitrary…
CVE-2022-1756 — CVSS 6.1 (medium): The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin…
CVE-2025-3582 — CVSS 4.8 (medium): The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users…
CVE-2025-3583 — CVSS 4.8 (medium): The Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such…
CVE-2022-1889 — CVSS 4.8 (medium): The Newsletter WordPress plugin before 7.4.6 does not escape and sanitise the preheader_text setting, which could allow high privilege…
CVE-2025-3581 — CVSS 4.8 (medium): The Newsletter WordPress plugin before 8.8.5 does not validate and escape some of its Widget options before outputting them back in a…
CVE-2025-3584 — CVSS 4.8 (medium): The Newsletter WordPress plugin before 8.8.2 does not sanitise and escape some of its Subscription settings, which could allow high…