WordPress Plugin Vulnerabilities

Newsletter & Bulk Email Sender <= 2.0.1 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
newsletter-bulk-email
No known fix

References

CVE
CVE-2023-45829
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/newsletter-bulk-email/newsletter-bulk-email-sender-201-authenticated-contributor-stored-cross-site-scripting
URL
https://patchstack.com/database/vulnerability/newsletter-bulk-email/wordpress-newsletter-bulk-email-sender-plugin-2-0-1-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
thiennv
Verified
No
WPVDB ID
c6335db8-3a51-4170-b052-2c68cc0aff1b

Timeline

Publicly Published
2023-10-13 (about 2 years ago)
Added
2023-10-26 (about 2 years ago)
Last Updated
2023-10-26 (about 2 years ago)

Other

Published
Title
Published
2025-01-16
Title
Internal Links Generator <= 3.51 - Reflected Cross-Site Scripting
Published
2014-07-16
Title
Profile Builder < 1.1.66 - Multiple XSS
Published
2023-03-21
Title
Userlike – WordPress Live Chat < 2.3 - Admin+ Stored Cross-Site Scripting
Published
2025-01-09
Title
Tracking Code Manager < 2.4.0 - Contributor+ Stored XSS
Published
2026-02-17
Title
Complianz | GDPR/CCPA Cookie Consent < 7.4.4 - Contributor+ Stored XSS