Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10
Critical0
High0
Medium10
Reset
Showing 1-10 of 10 records
Threat Entry Updated 2026-04-15

CVE-2026-1051 - Newsletter Plugin

The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.

PLUGIN Newsletter

CVE-2026-1051

MEDIUM CVSS 4.3 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2025-3582 - Newsletter Plugin

The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Newsletter

CVE-2025-3582

MEDIUM CVSS 4.8 2025-06-09
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2025-3581 - Newsletter Plugin

The Newsletter WordPress plugin before 8.8.5 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Newsletter

CVE-2025-3581

MEDIUM CVSS 4.8 2025-06-09
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2025-3584 - Newsletter Plugin

The Newsletter WordPress plugin before 8.8.2 does not sanitise and escape some of its Subscription settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Newsletter

CVE-2025-3584

MEDIUM CVSS 4.8 2025-06-03
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2025-3583 - Newsletter Plugin

The Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Newsletter

CVE-2025-3583

MEDIUM CVSS 4.8 2025-05-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5674 - Newsletter Plugin

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete newsletter subscribers. This issue affects only sites running the PHP version below 8.0

PLUGIN Newsletter

CVE-2024-5674

MEDIUM CVSS 6.5 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5317 - Newsletter Plugin

The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'np1' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Newsletter

CVE-2024-5317

MEDIUM CVSS 6.4 2024-06-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4772 - Newsletter Plugin

The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'newsletter_form' shortcode in versions up to, and including, 7.8.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Newsletter

CVE-2023-4772

MEDIUM CVSS 6.4 2023-09-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1889 - Newsletter Plugin

The Newsletter WordPress plugin before 7.4.6 does not escape and sanitise the preheader_text setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed

PLUGIN Newsletter

CVE-2022-1889

MEDIUM CVSS 4.8 2022-06-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1756 - Newsletter Plugin

The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.

PLUGIN Newsletter

CVE-2022-1756

MEDIUM CVSS 6.1 2022-06-13
Open Full Technical Breakdown
Scroll to top