CVE-2025-3584: 
NixOS vulnerability analysis and mitigation

The Newsletter WordPress plugin before version 8.8.2 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-3584. The vulnerability was discovered in the plugin's Subscription settings functionality and was publicly disclosed on May 13, 2025. This security issue affects WordPress installations using the Newsletter plugin versions prior to 8.8.2 (WPScan).

The vulnerability stems from improper sanitization and escaping of Subscription settings in the Newsletter plugin. Specifically, the issue is present in the 'Page content' field of the Subscription settings accessible at /wp-admin/admin.php?page=newslettersubscriptionwelcome. The vulnerability has been assigned a CVSS score of 4.8 (medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N and is classified under CWE-79 (Cross-Site Scripting) (WPScan, Wiz).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even when the unfilteredhtml capability is disallowed (for example in multisite setup). The XSS payload can be triggered when any authenticated user submits data to a form from the plugin, such as when interacting with the [newsletterform] shortcode embedded in pages or posts (WPScan).

The vulnerability has been patched in Newsletter plugin version 8.8.2. Website administrators are advised to update to this version or later to mitigate the security risk (WPScan).