VYPR

Newsletter

by WordPress

Source repositories

CVEs (27)

  • CVE-2024-8247HigSep 6, 2024
    risk 0.57cvss 8.8epss 0.00

    The Newsletters plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.9.9.2. This is due to the plugin not restricting what user meta can be updated as screen options. This makes it possible for authenticated attackers, with…

  • CVE-2023-0766HigMay 30, 2023
    risk 0.57cvss 8.8epss 0.00

    The Newsletter Popup WordPress plugin through 1.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks as the wp_newsletter_show_localrecord page is not protected with a nonce.

  • CVE-2025-67999HigDec 16, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stefano Lissa Newsletter newsletter allows Blind SQL Injection.This issue affects Newsletter: from n/a through <= 9.0.9.

  • CVE-2020-35932HigJan 1, 2021
    risk 0.49cvss 7.5epss 0.02

    Insecure Deserialization in the Newsletter plugin before 6.8.2 for WordPress allows authenticated remote attackers with minimal privileges (such as subscribers) to use the tpnc_render AJAX action to inject arbitrary PHP objects via the options[inline_edits] parameter. NOTE:…

  • CVE-2023-4797HigJan 16, 2024
    risk 0.47cvss 7.2epss 0.01

    The Newsletters WordPress plugin before 4.9.3 does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server.

  • CVE-2024-3642MedMay 16, 2024
    risk 0.45cvss 6.9epss 0.00

    The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack

  • CVE-2020-35933MedJan 1, 2021
    risk 0.42cvss 6.5epss 0.01

    A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpc_render AJAX request containing either JavaScript in an options parameter, or a base64-encoded…

  • CVE-2024-13739MedMar 22, 2025
    risk 0.40cvss 6.1epss 0.00

    The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the "to" parameter in all versions up to, and including, 4.9.9.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject…

  • CVE-2023-0733MedMay 30, 2023
    risk 0.40cvss 6.1epss 0.01

    The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks

  • CVE-2023-27922MedMay 23, 2023
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in Newsletter versions prior to 7.6.9 allows a remote unauthenticated attacker to inject an arbitrary script.

  • CVE-2022-1756MedJun 13, 2022
    risk 0.40cvss 6.1epss 0.02

    The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in…

  • CVE-2024-3059MedApr 26, 2024
    risk 0.37cvss 5.7epss 0.00

    The ENL Newsletter WordPress plugin through 1.0.1 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete arbitrary Campaigns via a CSRF attack

  • CVE-2024-13098MedFeb 1, 2025
    risk 0.35cvss 5.4epss 0.01

    The WordPress Email Newsletter WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

  • CVE-2024-10181MedOct 29, 2024
    risk 0.35cvss 6.4epss 0.00

    The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's newsletters_video shortcode in all versions up to, and including, 4.9.9.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it…

  • CVE-2024-5317MedJun 5, 2024
    risk 0.35cvss 6.4epss 0.00

    The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'np1' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject…

  • CVE-2024-3058MedApr 26, 2024
    risk 0.35cvss 5.4epss 0.00

    The ENL Newsletter WordPress plugin through 1.0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

  • CVE-2024-31434MedApr 15, 2024
    risk 0.35cvss 5.4epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Stefano Lissa & The Newsletter Team Newsletter.This issue affects Newsletter: from n/a through 8.0.6.

  • CVE-2023-4772MedSep 7, 2023
    risk 0.35cvss 6.4epss 0.00

    The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'newsletter_form' shortcode in versions up to, and including, 7.8.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for…

  • CVE-2024-30522MedMay 17, 2024
    risk 0.34cvss 5.3epss 0.00

    Authentication Bypass by Spoofing vulnerability in Stefano Lissa & The Newsletter Team Newsletter allows Functionality Bypass.This issue affects Newsletter: from n/a through 8.2.0.

  • CVE-2025-3582MedJun 9, 2025
    risk 0.31cvss 4.8epss 0.00

    The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in…

Page 1 of 2