What the vulnerability does
01Description
Cross-Site Request Forgery (CSRF) vulnerability in nonletter Newsletter subscription optin module newsletter-subscription-widget-for-sendblaster allows Stored XSS.This issue affects Newsletter subscription optin module: from n/a through <= 1.2.9.
Explanation of Vulnerability in Simple Terms
02Summary
The Newsletter subscription optin module contains a cross-site request forgery (CSRF) vulnerability that allows an attacker to perform unwanted actions on behalf of an authenticated user. An attacker can craft a malicious link or page that, when visited by a logged-in site administrator, executes unauthorized subscription or configuration changes. The vulnerability affects all versions up to 1.2.9 and requires user interaction to exploit.
What an attacker can do
03Attacker Capabilities
Perform unauthorized subscription or module configuration changes on behalf of a logged-in administrator.
Potential impact on your site
04Site Impact
An attacker can modify newsletter subscriptions or module settings without your knowledge or consent.
Conditions required to exploit
05Prerequisites
A site administrator must visit an attacker-controlled page or click a malicious link while logged in.
Key dates
06Disclosure timeline
August 28, 2025
CVE published
April 28, 2026
Record updated