VYPR
Vendor

Thenewsletterplugin

Products
1
CVEs
16
Across products
16
Status
Private

Products

1

Recent CVEs

16
  • CVE-2024-5674MedJun 12, 2024
    risk 0.42cvss 6.5epss 0.00

    The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list,…

  • CVE-2024-5317MedJun 5, 2024
    risk 0.35cvss 6.4epss 0.00

    The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'np1' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject…

  • CVE-2023-4772MedSep 7, 2023
    risk 0.35cvss 6.4epss 0.00

    The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'newsletter_form' shortcode in versions up to, and including, 7.8.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for…

  • CVE-2024-30522MedMay 17, 2024
    risk 0.34cvss 5.3epss 0.00

    Authentication Bypass by Spoofing vulnerability in Stefano Lissa & The Newsletter Team Newsletter allows Functionality Bypass.This issue affects Newsletter: from n/a through 8.2.0.

  • CVE-2026-1051MedJan 20, 2026
    risk 0.28cvss 4.3epss 0.00

    The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it…

  • CVE-2024-7411MedAug 15, 2024
    risk 0.28cvss 5.3epss 0.00

    The Newsletters plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 4.9.9. This is due the plugin not preventing direct access to the /vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php. This makes it possible for…

  • CVE-2025-3582Jun 9, 2025
    risk 0.00cvss epss 0.00

    The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in…

  • CVE-2025-3581Jun 9, 2025
    risk 0.00cvss epss 0.00

    The Newsletter WordPress plugin before 8.8.5 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even…

  • CVE-2025-3584Jun 3, 2025
    risk 0.00cvss epss 0.00

    The Newsletter WordPress plugin before 8.8.2 does not sanitise and escape some of its Subscription settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example…

  • CVE-2024-13739Mar 22, 2025
    risk 0.00cvss epss 0.00

    The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the "to" parameter in all versions up to, and including, 4.9.9.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject…

  • CVE-2024-10181Oct 29, 2024
    risk 0.00cvss epss 0.00

    The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's newsletters_video shortcode in all versions up to, and including, 4.9.9.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it…

  • CVE-2024-8247Sep 6, 2024
    risk 0.00cvss epss 0.00

    The Newsletters plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.9.9.2. This is due to the plugin not restricting what user meta can be updated as screen options. This makes it possible for authenticated attackers, with…

  • CVE-2024-3643May 16, 2024
    risk 0.00cvss epss 0.00

    The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack

  • CVE-2024-3641May 16, 2024
    risk 0.00cvss epss 0.00

    The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins

  • CVE-2006-1692Apr 11, 2006
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in MWNewsletter 1.0.0b allow remote attackers to execute arbitrary SQL commands via the (1) user_email parameter to (a) unsubscribe.php or (b) subscribe.php; or the (2) user_name parameter to subscribe.php. NOTE: the provenance of this…

  • CVE-2006-1690Apr 11, 2006
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in subscribe.php in MWNewsletter 1.0.0b allows remote attackers to inject arbitrary web script or HTML via the user_name parameter.