Skip to main content

Newsletters (WordPress plugin) CVE-2026-57394

| EUVDEUVD-2026-43466 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.1 MEDIUM

Remote unauthenticated reflected XSS needing victim click (UI:R), executing in browser origin so S:C with low C/I; reflected XSS has no real availability impact, hence A:N.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:01 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tribulant Software Newsletters newsletters-lite allows Reflected XSS.This issue affects Newsletters: from n/a through <= 4.14.

AnalysisAI

Reflected cross-site scripting in the Tribulant Software Newsletters (newsletters-lite) WordPress plugin, affecting all versions up through 4.14, lets a remote attacker execute arbitrary JavaScript in a victim's browser when the victim is lured into clicking a crafted link. Reported by Patchstack and rated CVSS 7.1, the scope-changing flaw can lead to session/credential theft or actions performed as the targeted user, including administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious URL with script payload
Delivery
Deliver link to site user via phishing
Exploit
Victim opens link, input reflected unescaped
Execution
Script executes in WordPress origin
Impact
Steal session or act as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires victim user interaction (CVSS UI:R): the target must open an attacker-crafted URL pointing at the vulnerable Newsletters plugin endpoint, with the malicious payload supplied in a reflected request parameter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L reflects a network-exploitable, low-complexity, unauthenticated flaw that nonetheless requires user interaction (UI:R) - the victim must click or load a malicious link, which meaningfully limits mass, hands-off exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a Newsletters plugin endpoint containing a malicious script payload in a reflected parameter and delivers it via email or a link to a logged-in site administrator. When the admin clicks it, the script executes in their authenticated session and can steal cookies, forge requests, or attempt to create a rogue admin account. …
Remediation No vendor-released patch version was identified in the provided data; the description states the issue affects versions through <= 4.14 without naming a fixed release, so administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-14-cross-site-scripting-xss-vulnerability) and upgrade to any release later than 4.14 as soon as one is confirmed available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all WordPress installations to identify use of Tribulant Newsletters plugin (newsletters-lite) version 4.14 or earlier and assess its operational criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-14788 HIGH POC
8.8 Aug 15

wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPres

CVE-2026-12583 HIGH POC
8.1 Jul 14

Unauthenticated PHP object injection in the Newsletters WordPress plugin before 4.15 lets remote attackers deserialize a

CVE-2019-14787 MEDIUM POC
5.4 Aug 09

The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newslette

CVE-2024-8247 HIGH
8.8 Sep 06

The Newsletters plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.9.9.2

CVE-2024-37227 HIGH
8.8 Jun 21

Cross Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters.9.7. Rated high severity (CVSS 8.8), this vulne

CVE-2026-2452 MEDIUM
6.5 Feb 16

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste

CVE-2024-10181 MEDIUM
6.4 Oct 29

The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's newsletters_video sho

CVE-2024-13739 MEDIUM
6.1 Mar 22

The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the "to" parameter in all versi

CVE-2024-35718 MEDIUM
6.1 Jun 08

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tribulant N

CVE-2025-4857 HIGH
7.2 May 31

The Newsletters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.9.9.9

Share

CVE-2026-57394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy