Newsletter < 7.4.5 - Reflected Cross-Site Scripting
CVE-2022-1756

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Newsletter – Send Awesome Emails From WordPress
Vendor: CVE Published:; 13 June 2022

Summary

The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.

Affected Version(s)

Newsletter – Send awesome emails from WordPress 7.4.5

References

https://wpscan.com/vulnerability/6ad407fe-db2b-41fb-834b-...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 13, 2022
Vulnerability Reserved
May 17, 2022

Credit

PHYO WIN SHEIN