CVE-2025-3583: 
NixOS vulnerability analysis and mitigation

The Newsletter WordPress plugin before version 8.7.1 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on April 14, 2025. The issue stems from insufficient sanitization and escaping of plugin settings, which affects WordPress installations, particularly in multisite setups (WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS 3.1 base score of 4.8 (MEDIUM) from NIST and 3.5 (LOW) from CISA-ADP. The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating that it requires high privileges and user interaction to exploit (NVD).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed. This is particularly significant in multisite WordPress setups where such restrictions are commonly implemented (WPScan).

The vulnerability has been patched in Newsletter plugin version 8.7.1. Users are advised to update to this version or later to mitigate the security risk (WPScan).