WordPress Plugin Vulnerabilities

Newsletter < 6.7.7 - Authenticated Stored Cross-Site Scripting

Description

An Authenticated Stored Cross-Site Scripting (XSS) was discovered within the Company Info "Motto" field. When creating a new newsletter using an empty template with the header module, the XSS would execute.

This was later fixed in version: 6.7.7

Proof of Concept

Affects Plugins

Plugin icon
newsletter
Fixed in 6.7.7

References

URL
https://plugins.trac.wordpress.org/changeset/2338966

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Chevon Phillip
Submitter
Chevon Phillip
Submitter website
https://chevonphillip.com
Submitter twitter
https://twitter.com/chevonphillip
Verified
No
WPVDB ID
62dd0dd0-b322-4ed8-98b1-60991e2b7217

Timeline

Publicly Published
2020-07-12 (about 5 years ago)
Added
2020-07-12 (about 5 years ago)
Last Updated
2020-07-12 (about 5 years ago)

Other

Published
Title
Published
2025-08-26
Title
All-in-One WP Migration and Backup < 7.98 - Admin+ Stored XSS
Published
2024-03-26
Title
Preview E-mails for WooCommerce < 2.2.2 - Reflected Cross-Site Scripting
Published
2023-08-17
Title
Simple Staff List < 2.2.4 - Editor+ Stored XSS
Published
2023-01-12
Title
WP Blog and Widget < 2.3.1 - Contributor+ Stored XSS via Shortcode
Published
2025-07-02
Title
Element Pack Addons for Elementor < 8.1.0 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via data-caption Attribute