Phyo Win Shein

**Name of the Vulnerable Software and Affected Versions** The Newsletter WordPress plugin versions prior to 7.4.6 **Description** The issue concerns a Stored Cross-Site Scripting attack. High privilege users could exploit this when the `unfilteredhtml` is disallowed, due to the lack of proper escaping and sanitization of the `preheader text` setting. **Recommendations** For versions prior to 7.4.6, update to version 7.4.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the `preheader text` setting to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Newsletter WordPress plugin versions prior to 7.4.5 **Description** The issue concerns a Reflected XSS vulnerability. It occurs because the `$ SERVER['REQUEST URI']` is not properly sanitized and escaped before being echoed back in admin pages. Although modern browsers automatically URLEncode requests, older browsers like Internet Explorer 9 or below are still vulnerable to this issue. **Recommendations** For versions prior to 7.4.5, update to version 7.4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to admin pages in older browsers until the update is applied.