vulnerability

WordPress Plugin: newsletter: CVE-2020-35933: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:S/C:P/I:P/A:P)	Aug 3, 2020	May 15, 2025	May 15, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:P/A:P)

Published

Aug 3, 2020

Added

May 15, 2025

Modified

May 15, 2025

Description

A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpc_render AJAX request containing either JavaScript in an options parameter, or a base64-encoded JSON string containing JavaScript in the encoded_options parameter.

Solution

newsletter-plugin-cve-2020-35933

References

URL-https://www.cve.org/CVERecord?id=CVE-2020-35933
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/95dc0d79-b65a-4bfb-89c0-569bf26232df?source=api-prod
CVE-2020-35933
https://attackerkb.com/topics/CVE-2020-35933

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today