CVE-2025-3582: 
NixOS vulnerability analysis and mitigation

The Newsletter WordPress plugin before version 8.85 contains a security vulnerability (CVE-2025-3582) discovered by security researcher Dmitrii Ignatyev and publicly disclosed on May 19, 2025. The vulnerability affects the Form settings functionality within the plugin, where insufficient sanitization and escaping of input could lead to security risks (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation). It has been assigned a CVSS 3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The technical issue stems from the plugin's failure to properly sanitize and escape Form settings, particularly affecting the Form configuration interface (NVD, WPScan).

The vulnerability allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks. This security flaw is particularly significant in multisite setups where it can be exploited even when the unfiltered_html capability is disallowed (WPScan).

The vulnerability has been patched in Newsletter WordPress plugin version 8.85. Users are strongly advised to update their installations to this version or later to mitigate the security risk (WPScan).