CVE-2022-1756: 
NixOS vulnerability analysis and mitigation

The Newsletter WordPress plugin before version 7.4.5 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-1756. The vulnerability was discovered in May 2022 and affects the plugin's admin pages where the $_SERVER['REQUEST_URI'] parameter is not properly sanitized and escaped before being echoed back (WPScan).

The vulnerability stems from improper neutralization of input during web page generation in admin pages. Although the plugin uses addslashes function, and modern browsers automatically URLEncode requests, the vulnerability remains exploitable in older browsers such as Internet Explorer 9 or below. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute malicious JavaScript code in the context of the victim's browser session. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks when users visit affected admin pages (WPScan).

The vulnerability has been fixed in Newsletter plugin version 7.4.5. Users are advised to update to this version or later to mitigate the risk. No alternative workarounds have been published (WPScan).