CVE-2025-3584
published 2025-06-03CVE-2025-3584: The Newsletter WordPress plugin before 8.8.2 does not sanitise and escape some of its Subscription settings, which could allow high privilege users such as…
PriorityP418medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.21%
11.2th percentile
The Newsletter WordPress plugin before 8.8.2 does not sanitise and escape some of its Subscription settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 3.19.0 < 6.6.112 | 6.6.112 |
| linux | linux_kernel | >= 6.13.0 < 6.17.3 | 6.17.3 |
| linux | linux_kernel | >= 6.7.0 < 6.12.53 | 6.12.53 |
| thenewsletterplugin | newsletter | < 8.8.2 | 8.8.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
f2fs: fix to truncate first page in error path of f2fs_truncate()
osv·2025-11-12
CVE-2025-40137 f2fs: fix to truncate first page in error path of f2fs_truncate()
f2fs: fix to truncate first page in error path of f2fs_truncate()
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to truncate first page in error path of f2fs_truncate()
syzbot reports a bug as below:
loop0: detected capacity change from 0 to 40427
F2FS-fs (loop0): Wrong SSA boundary, start(3584) end(4096) blocks(3072)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
F2FS-fs (loop0): invalid crc value
F2FS-fs (loop0): f2fs_convert_inline_folio: corrupted inline inode ino=3, i_addr[0]:0x1601, run fsck to fix.
------------[ cut here ]------------
kernel BUG at fs/inode.c:753!
RIP: 0010:clear_inode+0x169/0x190 fs/inode.c:753
Call Trace:
evict+0x504/0x9c0 fs/inode.c:810
f2fs_fill_super+0x5612/0x6fa0 fs/f2fs/super.c:5047
get_tree_bdev_flags+
GHSA
GHSA-6p39-gq6w-rwhx: The Newsletter WordPress plugin before 8
ghsa_unreviewed·2025-06-03
CVE-2025-3584 [MEDIUM] CWE-79 GHSA-6p39-gq6w-rwhx: The Newsletter WordPress plugin before 8
The Newsletter WordPress plugin before 8.8.2 does not sanitise and escape some of its Subscription settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Red Hat
kernel: f2fs: fix to truncate first page in error path of f2fs_truncate()
vendor_redhat·2025-11-12
CVE-2025-40137 kernel: f2fs: fix to truncate first page in error path of f2fs_truncate()
kernel: f2fs: fix to truncate first page in error path of f2fs_truncate()
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to truncate first page in error path of f2fs_truncate()
syzbot reports a bug as below:
loop0: detected capacity change from 0 to 40427
F2FS-fs (loop0): Wrong SSA boundary, start(3584) end(4096) blocks(3072)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
F2FS-fs (loop0): invalid crc value
F2FS-fs (loop0): f2fs_convert_inline_folio: corrupted inline inode ino=3, i_addr[0]:0x1601, run fsck to fix.
------------[ cut here ]------------
kernel BUG at fs/inode.c:753!
RIP: 0010:clear_inode+0x169/0x190 fs/inode.c:753
Call Trace:
evict+0x504/0x9c0 fs/inode.c:810
f2fs_fill_super+0x5612/0x6fa0 fs/f2fs/super.c:5047
get_tree_bdev_f
No detection rules found.
No public exploits indexed.
2025-06-03
Published