Cross-Site Scripting Vulnerabilities in Newsletter Manager Plugin for WordPress
CVE-2012-6628

Currently unrated

Key Information:

Vendor: Wordpress
Status: Newsletter Manager
Vendor: CVE Published:; 16 January 2014

Summary

The Newsletter Manager plugin for WordPress contains multiple vulnerabilities that permit remote attackers to exploit cross-site scripting (XSS) flaws. Attackers can inject arbitrary web scripts or HTML through specific parameters, including xyz_em_campName in admin/create_campaign.php and admin/edit_campaign.php, xyz_em_email in admin/edit_email.php, xyz_em_exportbatchSize in import_export.php, and pagination limits in the plugin's options. This susceptibility can be exploited to execute malicious scripts in users' browsers, potentially compromising user data and security. It is crucial to update to version 1.0.2 or later to mitigate these risks.

References

http://packetstormsecurity.org/files/112694/WordPress-New...

x_refsource_MISC

http://secunia.com/advisories/49183

third-party-advisoryx_refsource_SECUNIA

https://plugins.trac.wordpress.org/changeset/533904

x_refsource_CONFIRM

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Jan 16, 2014