CVE-2025-3583
Newsletter < 8.7.1 - Admin+ Stored XSSThe Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
We have discovered 32,933 live websites that are affected by CVE-2025-3583.
Affected Software
| Product |  Newsletter |
| Category | Wordpress Plugins |
| Vulnerable Domains | 32,933 live websites (39% of Newsletter install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 348 versions ( 91% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - May 5, 2025
- Updated - May 5, 2025
Credits
- Dmitrii Ignatyev (finder)
- WPScan (coordinator)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-3583 United States | 7,221 websites |
 Germany | 4,662 websites |
 Italy | 2,845 websites |
 France | 2,610 websites |
 Poland | 1,419 websites |
 GB | 1,184 websites |
 Spain | 839 websites |
 Netherlands | 629 websites |
 Brazil | 601 websites |
 Russia | 591 websites |
Website Distribution by TLD
Number of websites using CVE-2025-3583| .com | 12,248 websites |
| .de | 2,572 websites |
| .it | 1,952 websites |
| .org | 1,781 websites |
| .fr | 1,067 websites |
| .pl | 1,058 websites |
| .net | 682 websites |
| .co.uk | 578 websites |
| .com.br | 525 websites |
| .eu | 524 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-3583
Top websites that are affected by CVE-2025-3583. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| **************.com | United States | **,*** | |
| ******.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| **************.com | United States | **,*** | |
| ********.org | **,*** | ||
| **********.com | United States | **,*** | |
| *******.org | Germany | **,*** | |
| ***************.com | United States | **,*** |
FAQ
CVE-2025-3583 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Newsletter
A total of 32,933 websites have been identified as vulnerable to CVE-2025-3583, based on global website indexing conducted by WebTechSurvey.
The Newsletter is affected by the CVE-2025-3583 vulnerability.
Newsletter versions up to 8.7.1 are vulnerable to CVE-2025-3583.
CVE-2025-3583 is resolved in version 8.7.1 of Newsletter.