Stored Cross-Site Scripting vulnerability in Newsletter plugin for WordPress
CVE-2023-4772

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Newsletter – Send awesome emails from WordPress
Vendor: CVE Published:; 7 September 2023

Summary

The Newsletter plugin for WordPress, versions up to and including 7.8.9, is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping on attributes provided by users. This vulnerability enables authenticated attackers with at least contributor-level permissions to insert malicious web scripts, which can execute whenever a user visits the compromised pages. This presents a significant risk, as it can lead to unauthorized access and data compromise, impacting user trust.

Affected Version(s)

Newsletter – Send awesome emails from WordPress * <= 7.8.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/newsletter/tag...

https://plugins.trac.wordpress.org/changeset/2955097/news...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 7, 2023
Vulnerability Reserved
Sep 5, 2023

Credit

Lana Codes