CVE-2025-3581: 
NixOS vulnerability analysis and mitigation

The Newsletter WordPress plugin before version 8.8.5 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-3581. The vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on May 19, 2025. This security issue affects the Widget options functionality within the Newsletter plugin for WordPress installations (WPScan).

The vulnerability stems from improper validation and escaping of Widget options before they are output back in pages or posts where the block is embedded. It has been classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS 3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability enables high privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed. This is particularly concerning in multisite setup environments where such restrictions are commonly implemented (WPScan).

The vulnerability has been patched in Newsletter plugin version 8.8.5. Website administrators are strongly advised to update to this version or later to mitigate the security risk (WPScan).