F1Logic

**Name of the Vulnerable Software and Affected Versions** Newsletter Manager plugin for WordPress versions prior to 1.0.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through various parameters, including `xyz em campName` in `admin/create campaign.php` or `admin/edit campaign.php`, `xyz em email` in `admin/edit email.php`, `xyz em exportbatchSize` in `import export.php`, or by manipulating the pagination limit in the Newsletter Manager options. **Recommendations** For versions prior to 1.0.2, update to version 1.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as `admin/create campaign.php`, `admin/edit campaign.php`, `admin/edit email.php`, and `import export.php`, until the update is applied. Avoid using the vulnerable parameters, such as `xyz em campName`, `xyz em email`, and `xyz em exportbatchSize`, in the affected endpoints until the issue is resolved.