Plugin Newsletter Plugin
by WordPress
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-3643 | Hig | 0.57 | 8.8 | 0.00 | May 16, 2024 | The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack | ||
| CVE-2024-3642 | Med | 0.45 | 6.9 | 0.00 | May 16, 2024 | The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack | ||
| CVE-2024-3641 | Med | 0.40 | 6.1 | 0.00 | May 16, 2024 | The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins | ||
| CVE-2021-25033 | Med | 0.33 | 6.1 | 0.03 | Feb 14, 2022 | The WordPress Newsletter Plugin WordPress plugin before 1.6.5 does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue | ||
| CVE-2024-3644 | Med | 0.31 | 4.8 | 0.00 | May 16, 2024 | The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in… | ||
| CVE-2022-1889 | Med | 0.31 | 4.8 | 0.01 | Jun 20, 2022 | The Newsletter WordPress plugin before 7.4.6 does not escape and sanitise the preheader_text setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed | ||
| CVE-2012-3588 | 0.04 | — | 0.11 | Jun 19, 2012 | Directory traversal vulnerability in preview.php in the Plugin Newsletter plugin 1.5 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the data parameter. |
- risk 0.57cvss 8.8epss 0.00
The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack
- risk 0.45cvss 6.9epss 0.00
The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack
- risk 0.40cvss 6.1epss 0.00
The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins
- risk 0.33cvss 6.1epss 0.03
The WordPress Newsletter Plugin WordPress plugin before 1.6.5 does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue
- risk 0.31cvss 4.8epss 0.00
The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in…
- risk 0.31cvss 4.8epss 0.01
The Newsletter WordPress plugin before 7.4.6 does not escape and sanitise the preheader_text setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed
- CVE-2012-3588Jun 19, 2012risk 0.04cvss —epss 0.11
Directory traversal vulnerability in preview.php in the Plugin Newsletter plugin 1.5 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the data parameter.