NewsmanApp WordPress plugin CVE-2025-60164
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in NewsMAN NewsmanApp allows Stored XSS. This issue affects NewsmanApp: from n/a through 2.7.7.
AnalysisAI
Cross-Site Request Forgery (CSRF) in NewsmanApp WordPress plugin versions up to 2.7.7 enables stored Cross-Site Scripting (XSS) attacks through unauthorized administrative actions. Attackers can trick authenticated administrators into executing malicious requests that inject persistent JavaScript payloads, leading to session hijacking, privilege escalation, or further compromise of WordPress sites. EPSS score of 0.01% (3rd percentile) indicates very low observed exploitation probability. No active exploitation confirmed in CISA KEV. Patchstack vulnerability database is the primary authoritative source for this disclosure.
Technical ContextAI
This vulnerability chain exploits WordPress plugin architecture weaknesses where CSRF protection mechanisms (nonce validation) are absent or improperly implemented in NewsmanApp administrative functions. The CSRF flaw (CWE-352) serves as the entry vector, allowing attackers to forge requests from authenticated administrators without consent. The resulting stored XSS component indicates that the plugin fails to sanitize user-controlled input before persisting it to the WordPress database, violating both WordPress Coding Standards and OWASP secure development guidelines. The changed scope (S:C) in the CVSS vector suggests the XSS payload can execute in a different security context than the vulnerable plugin itself, likely affecting the broader WordPress installation or other logged-in users. This is characteristic of stored XSS in administrative interfaces where injected scripts persist and execute for multiple victims.
Affected ProductsAI
WordPress NewsmanApp plugin versions from earliest releases through version 2.7.7 are vulnerable. The vulnerability affects all WordPress installations running these plugin versions regardless of WordPress core version. Patchstack database reference at https://patchstack.com/database/wordpress/plugin/newsmanapp/vulnerability/wordpress-newsmanapp-plugin-2-7-7-cross-site-request-forgery-csrf-vulnerability provides authoritative vulnerability details. No CPE identifiers were available in source data to confirm precise version enumeration.
RemediationAI
Upgrade NewsmanApp plugin to version 2.7.8 or later if available, following standard WordPress plugin update procedures through the admin dashboard or via WP-CLI. Before upgrading, verify patch availability at https://patchstack.com/database/wordpress/plugin/newsmanapp/vulnerability or check the WordPress plugin repository for release notes. If immediate patching is not feasible, implement compensating controls: restrict WordPress admin dashboard access to trusted IP addresses via .htaccess or firewall rules (trade-off: breaks remote administration); deploy a WordPress Application Firewall (WAF) like Wordfence or Sucuri with CSRF and XSS protection rules enabled (trade-off: potential false positives blocking legitimate admin actions); require re-authentication for sensitive NewsmanApp operations through session management plugins (trade-off: degrades user experience); or temporarily deactivate NewsmanApp plugin until patched version is deployed (trade-off: loss of newsletter functionality). Administrative user security awareness training to avoid clicking untrusted links while logged into WordPress provides defense-in-depth but should not replace technical controls.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today