Skip to main content

Newsletters CVE-2024-37227

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2024-06-21 audit@patchstack.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 21, 2024 - 14:15 nvd
HIGH 8.8

DescriptionNVD

Cross Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters.This issue affects Newsletters: from n/a through 4.9.7.

AnalysisAI

Cross Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters.9.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Cross Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters.9.7. Affected products include: Tribulant Newsletters. Version information: through 4.9.7..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2019-14788 HIGH POC
8.8 Aug 15

wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPres

CVE-2026-12583 HIGH POC
8.1 Jul 14

Unauthenticated PHP object injection in the Newsletters WordPress plugin before 4.15 lets remote attackers deserialize a

CVE-2019-14787 MEDIUM POC
5.4 Aug 09

The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newslette

CVE-2024-8247 HIGH
8.8 Sep 06

The Newsletters plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.9.9.2

CVE-2026-57394 HIGH
7.1 Jul 13

Reflected cross-site scripting in the Tribulant Software Newsletters (newsletters-lite) WordPress plugin, affecting all

CVE-2026-2452 MEDIUM
6.5 Feb 16

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste

CVE-2024-10181 MEDIUM
6.4 Oct 29

The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's newsletters_video sho

CVE-2024-13739 MEDIUM
6.1 Mar 22

The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the "to" parameter in all versi

CVE-2024-35718 MEDIUM
6.1 Jun 08

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tribulant N

CVE-2025-4857 HIGH
7.2 May 31

The Newsletters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.9.9.9

Share

CVE-2024-37227 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy