Newsletters < 4.11 – Cross-Site Request Forgery | CVE 2025-54035 | Plugin Vulnerabilities

Description

The Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.10. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

newsletters-lite

Fixed in 4.11

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e7cd51b1-4b56-4ca6-b891-93af9879862d

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Xuan Chien

Verified

No

WPVDB ID

43985f62-003d-4134-9106-f78218493651

Timeline

Publicly Published

2025-07-16 (about 11 months ago)

Added

2025-07-21 (about 11 months ago)

Last Updated

2025-07-21 (about 11 months ago)

Other

Published

Title

Published

2023-11-02

Title

Kadence WooCommerce Email Designer < 1.5.12 - CSRF

Published

2024-02-26

Title

Categorify < 1.0.7.5 - Cross-Site Request Forgery via categorifyAjaxClearCategory

Published

2025-12-11

Title

Freshchat <= 2.3.4 - Cross-Site Request Forgery

Published

2022-06-01

Title

New User Approve < 2.4 - Arbitrary Settings Update & Invitation Code Creation via CSRF

Published

2023-03-14

Title

Google XML Sitemap for Images <= 2.1.3 - Map generation through CSRF