Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Remote unauthenticated reflected XSS needing victim click (UI:R), executing in browser origin so S:C with low C/I; reflected XSS has no real availability impact, hence A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tribulant Software Newsletters newsletters-lite allows Reflected XSS.This issue affects Newsletters: from n/a through <= 4.14.
AnalysisAI
Reflected cross-site scripting in the Tribulant Software Newsletters (newsletters-lite) WordPress plugin, affecting all versions up through 4.14, lets a remote attacker execute arbitrary JavaScript in a victim's browser when the victim is lured into clicking a crafted link. Reported by Patchstack and rated CVSS 7.1, the scope-changing flaw can lead to session/credential theft or actions performed as the targeted user, including administrators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires victim user interaction (CVSS UI:R): the target must open an attacker-crafted URL pointing at the vulnerable Newsletters plugin endpoint, with the malicious payload supplied in a reflected request parameter. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L reflects a network-exploitable, low-complexity, unauthenticated flaw that nonetheless requires user interaction (UI:R) - the victim must click or load a malicious link, which meaningfully limits mass, hands-off exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to a Newsletters plugin endpoint containing a malicious script payload in a reflected parameter and delivers it via email or a link to a logged-in site administrator. When the admin clicks it, the script executes in their authenticated session and can steal cookies, forge requests, or attempt to create a rogue admin account. … |
| Remediation | No vendor-released patch version was identified in the provided data; the description states the issue affects versions through <= 4.14 without naming a fixed release, so administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-14-cross-site-scripting-xss-vulnerability) and upgrade to any release later than 4.14 as soon as one is confirmed available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all WordPress installations to identify use of Tribulant Newsletters plugin (newsletters-lite) version 4.14 or earlier and assess its operational criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Newsletters
View allwp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPres
Unauthenticated PHP object injection in the Newsletters WordPress plugin before 4.15 lets remote attackers deserialize a
The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newslette
The Newsletters plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.9.9.2
Cross Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters.9.7. Rated high severity (CVSS 8.8), this vulne
Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste
The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's newsletters_video sho
The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the "to" parameter in all versi
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tribulant N
The Newsletters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.9.9.9
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43466