VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 26 known issues Latest disclosed Dec 31, 2025

Newsletters Vulnerabilities

Review known vulnerability records for the WordPress plugin Newsletters (`newsletters-lite`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-67911, CVE-2025-69020 and CVE-2025-54034, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
26
High or Critical
8
Patch Coverage
100%
Last Updated
Feb 06, 2026
Priority CVE Quick Links

Fast paths into Newsletters CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
24
CVE-2018-20987 Critical 4.6.8.6
CVE-2018-20987 Newsletters Vulnerability

Newsletters <= 4.6.8.5 - Object Injection

CVE-2024-32954 Critical 4.9.6
CVE-2024-32954 Newsletters Remote Code Execution

Newsletters <= 4.9.5 - Authenticated (Admin+) Arbitrary File Upload

CVE-2024-8247 High 4.9.9.3
CVE-2024-8247 Newsletters Privilege Escalation

Newsletters <= 4.9.9.2 - Authenticated Privilege Escalation

CVE-2019-14788 High 4.6.19
CVE-2019-14788 Newsletters Vulnerability

Newsletters <= 4.6.18 - Directory Traversal

CVE-2025-67911 High 4.12
CVE-2025-67911 Newsletters Vulnerability

Newsletters <= 4.11 - Unauthenticated PHP Object Injection

CVE-2025-54034 High 4.11
CVE-2025-54034 Newsletters Local File Inclusion

Newsletters <= 4.10 - Unauthenticated Local File Inclusion

CVE-2025-4857 High 4.10
CVE-2025-4857 Newsletters Local File Inclusion

Newsletters <= 4.9.9.9 - Authenticated (Administrator+) Local File Inclusion

CVE-2025-2009 High 4.9.9.8
CVE-2025-2009 Newsletters Stored Cross-Site Scripting

Newsletters <= 4.9.9.7 - Unauthenticated Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Newsletters so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
26 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
2 critical and 6 high severity findings.
Recent CVEs
CVE-2025-67911, CVE-2025-69020 and CVE-2025-54034
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Newsletters

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2025-67911
CVE-2025-67911: Newsletters <= 4.11 - Unauthenticated PHP Object Injection

The Newsletters plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.11 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable s...

Published
Dec 31, 2025
Patched Release
4.12
Affected Versions
Versions up to 4.11
Next Step
Update to 4.12 or newer if supported.
Open CVE-2025-67911 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-69020
CVE-2025-69020: Newsletters <= 4.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inj...

Published
Dec 28, 2025
Patched Release
4.13
Affected Versions
Versions up to 4.12
Next Step
Update to 4.13 or newer if supported.
Open CVE-2025-69020 Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-54034
CVE-2025-54034: Newsletters <= 4.10 - Unauthenticated Local File Inclusion

The Newsletters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.10. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files....

Published
Jul 29, 2025
Patched Release
4.11
Affected Versions
Versions up to 4.10
Next Step
Update to 4.11 or newer if supported.
Open CVE-2025-54034 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-54035
CVE-2025-54035: Newsletters <= 4.10 - Cross-Site Request Forgery

The Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.10. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action...

Published
Jul 16, 2025
Patched Release
4.11
Affected Versions
Versions up to 4.10
Next Step
Update to 4.11 or newer if supported.
Open CVE-2025-54035 Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-4857
CVE-2025-4857: Newsletters <= 4.9.9.9 - Authenticated (Administrator+) Local File Inclusion

The Newsletters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.9.9.9 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files...

Published
May 30, 2025
Patched Release
4.10
Affected Versions
Versions up to 4.9.9.9
Next Step
Update to 4.10 or newer if supported.
Open CVE-2025-4857 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-3107
CVE-2025-3107: Newsletters <= 4.9.9.8 - Authenticated (Contributor+) SQL Injection orderby Parameter

The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby' parameter in all versions up to, and including, 4.9.9.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

Published
May 12, 2025
Patched Release
4.9.9.9
Affected Versions
Versions up to 4.9.9.8
Next Step
Update to 4.9.9.9 or newer if supported.
Open CVE-2025-3107 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-30921
CVE-2025-30921: Newsletters <= 4.9.9.7 - Authenticated (Administrator+) SQL Injection

The Newsletters plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 4.9.9.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attacke...

Published
Mar 27, 2025
Patched Release
4.9.9.8
Affected Versions
Versions up to 4.9.9.7
Next Step
Update to 4.9.9.8 or newer if supported.
Open CVE-2025-30921 Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-2009
CVE-2025-2009: Newsletters <= 4.9.9.7 - Unauthenticated Stored Cross-Site Scripting

The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the logging functionality in all versions up to, and including, 4.9.9.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

Published
Mar 25, 2025
Patched Release
4.9.9.8
Affected Versions
Versions up to 4.9.9.7
Next Step
Update to 4.9.9.8 or newer if supported.
Open CVE-2025-2009 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13739
CVE-2024-13739: Newsletters <= 4.9.9.7 - Reflected Cross-Site Scripting via To Parameter

The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the "to" parameter in all versions up to, and including, 4.9.9.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arb...

Published
Mar 21, 2025
Patched Release
4.9.9.8
Affected Versions
Versions up to 4.9.9.7
Next Step
Update to 4.9.9.8 or newer if supported.
Open CVE-2024-13739 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-24599
CVE-2025-24599: Newsletters <= 4.9.9.6 - Reflected Cross-Site Scripting

The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 4.9.9.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in p...

Published
Dec 26, 2024
Patched Release
4.9.9.7
Affected Versions
Versions up to 4.9.9.6
Next Step
Update to 4.9.9.7 or newer if supported.
Open CVE-2025-24599 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10181
CVE-2024-10181: Newsletters <= 4.9.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via newsletters_video Shortcode

The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's newsletters_video shortcode in all versions up to, and including, 4.9.9.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possi...

Published
Oct 28, 2024
Patched Release
4.9.9.5
Affected Versions
Versions up to 4.9.9.4
Next Step
Update to 4.9.9.5 or newer if supported.
Open CVE-2024-10181 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-47346
CVE-2024-47346: Newsletters <= 4.9.9.1 - Reflected Cross-Site Scripting

The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 4.9.9.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages...

Published
Sep 27, 2024
Patched Release
4.9.9.2
Affected Versions
Versions up to 4.9.9.1
Next Step
Update to 4.9.9.2 or newer if supported.
Open CVE-2024-47346 Report Open CVE Reference