CVE-2022-1756

CVE-2022-1756: Newsletter < 7.4.5 - Reflected Cross-Site Scripting

Vendor Unknown

Product Newsletter – Send awesome emails from WordPress

Weakness CWE-79 · XSS

Published June 13, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.

Key dates

02Disclosure timeline

June 13, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-1756 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-0011 PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in Captive Portal Authentication CVE-2025-58092 CVE-2024-38741 WordPress Amazing Hover Effects plugin <= 2.4.9 - Cross Site Scripting (XSS) vulnerability CVE-2025-6252 Qi Addons For Elementor <= 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-24635 WordPress Paytm – Donation Plugin plugin <= 2.3.1 - Reflected Cross Site Scripting (XSS) vulnerability