Newsletter WordPress Plugin Opens Door to Site Takeover
A WordPress plugin designed to create newsletters and email campaigns within the platform called Newsletter has been downloaded over 300,000 times. However, security researchers recently found that the plugin contains a pair of vulnerabilities that could potentially allow threat actors to achieve a site takeover. One vulnerability is an XSS bug while the other is a PHP object-injection vulnerability.
The XSS bug has a medium severity ranking of 6.5 on the CvSS scale, whereas the PHP object-injection vulnerability has a higher score of 7.5. Successful exploitation of the XSS bug would allow attackers who are logged-in to a device to inject malicious code into a web window. In order to compromise a device, the bug requires an attacker to lure the victim into clicking a malicious link or file, however, they can be used to inject backdoors or add admin privileges.