CVE-2022-1756

MEDIUM NUCLEI

Newsletter < 7.4.5 - XSS

Title source: rule

Description

The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.

Nuclei Templates (1)

Newsletter < 7.4.5 - Cross-Site Scripting

MEDIUMVERIFIEDby Harsh

Shodan: http.html:/wp-content/plugins/newsletter/

FOFA: body=/wp-content/plugins/newsletter/

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/6ad407fe-db2b-41fb-834b-dd8c4f62b072

Scores

CVSS v3 6.1

EPSS 0.0313

EPSS Percentile 86.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

thenewsletterplugin/newsletter < 7.4.5

Published Jun 13, 2022

Tracked Since Feb 18, 2026