CVE-2022-1889Cross-site Scripting in Newsletter

CWE-79Cross-site ScriptingCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer5 documents4 sources
Severity
4.8MEDIUMNVD
CISA9.8CISA8.8
EPSS
0.2%
top 54.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Thenewsletterplugin Newsletter
Timeline
PublishedJun 20
Latest updateJun 21

Description

The Newsletter WordPress plugin before 7.4.6 does not escape and sanitise the preheader_text setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-qf3v-9qqm-2rm9: The Newsletter WordPress plugin before 72022-06-21
CVEList
Newsletter < 7.4.6 - Admin+ Stored Cross-Site Scripting2022-06-20

📋Vendor Advisories

2
CISA
Microsoft XML Core Services Memory Corruption Vulnerability2022-06-08
CISA
Microsoft Forefront TMG Remote Code Execution Vulnerability2022-03-03
CVE-2022-1889 — Cross-site Scripting in Newsletter | cvebase