via wordfence.com => original post link
On August 16, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin, which is actively installed on more than 300,000 WordPress websites. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.
We contacted The Newsletter Team on August 16, 2023, and we received a response on the next day. After providing full disclosure details, the developer released a patch on August 17, 2023. We would like to commend The Newsletter Team for their prompt response and timely patch, which was released on the same day.