CVE-2025-69020

Vulnerability

Overview

The Tribulant Newsletters plugin for WordPress (newsletters-lite) versions up to and including 4.12 contain a stored cross-site scripting (XSS) vulnerability [1]. This arises from improper neutralization of user-supplied input during web page generation, allowing an attacker with sufficient privileges to inject arbitrary JavaScript or HTML into the plugin's pages [1].

Exploitation

To exploit this vulnerability, an attacker must have a role that can submit or save content within the plugin (e.g., a contributor or higher). The injected payload is stored on the server and executed when other users, including administrators or site visitors, view the affected page where the payload is rendered [1]. No direct user interaction is required beyond the initial injection, but the attacker must be authenticated with the necessary privileges.

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information [1]. The vulnerability is rated as Medium severity (CVSS 6.5) and is considered a low severity impact, but it is known to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vendor has released version 4.13 which fixes the issue. Users are strongly advised to update immediately. If updating is not possible, consider disabling the plugin or implementing a web application firewall (WAF) rule to block malicious input [1].