WordPress Plugin Vulnerabilities

SendPress Newsletters <= 1.26.1.20 - Admin+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
sendpress
No known fix

References

CVE
CVE-2023-41729
URL
https://patchstack.com/database/vulnerability/sendpress/wordpress-sendpress-newsletters-plugin-1-22-3-31-cross-site-scripting-xss?_s_id=cve

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
yuyudhn
Verified
No
WPVDB ID
110e5a2c-7b08-474d-97f4-9adb107d7fe6

Timeline

Publicly Published
2023-10-02 (about 2 years ago)
Added
2023-10-02 (about 2 years ago)
Last Updated
2026-02-18 (about 14 days ago)

Other

Published
Title
Published
2024-06-06
Title
Clever Fox < 25.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-08-29
Title
HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics < 11.1.34 - Authenticated (Contributor+) Stored Cross-Site Scripting via HubSpot Meeting Widget
Published
2014-08-01
Title
Marekkis Watermark 0.9.2 - wp-admin/options-general.php pfad Parameter XSS
Published
2026-01-22
Title
Grand Magazine < 3.5.8 - Reflected Cross-Site Scripting
Published
2024-10-15
Title
Responsive Lightbox < 2.4.9 - Author+ Stored XSS