High severity7.1NVD Advisory· Published Oct 6, 2024· Updated Apr 23, 2026

CVE-2024-47346

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tribulant Software Newsletters newsletters-lite allows Reflected XSS.This issue affects Newsletters: from n/a through <= 4.9.9.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS vulnerability in Tribulant Newsletters plugin for WordPress allows attackers to inject malicious scripts via crafted requests, affecting versions up to 4.9.9.1.

Vulnerability

Overview The Newsletters plugin for WordPress (newsletters-lite) suffers from a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This affects all versions up to and including 4.9.9.1.

Exploitation

Details An attacker can exploit this flaw by crafting a malicious URL that, when visited by a privileged user (such as an administrator), injects arbitrary JavaScript into the page [1]. The attack requires user interaction—the victim must click the link or submit a crafted form—but no prior authentication is needed for the attacker to deliver the payload.

Impact

Successful exploitation allows the attacker to execute malicious scripts in the context of the victim's browser session. This can lead to actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or stealing sensitive information like session cookies [1]. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of WordPress sites.

Mitigation

The vendor has released version 4.9.9.2 which resolves the issue. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block attacks until the patch is applied [1].

References

Cross Site Scripting (XSS) in WordPress Newsletters Plugin

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Newsletters Liteinferred
Range: <=4.9.9.1
Package: https://wordpress.org/plugins/newsletters-lite

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-9-9-1-reflected-cross-site-scripting-xss-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.461
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000