CVE-2020-35932

Name of the Vulnerable Software and Affected Versions: Newsletter plugin versions prior to 6.8.2 for WordPress

Description: The issue allows authenticated remote attackers with minimal privileges to inject arbitrary PHP objects via the options[inline edits] parameter using the "tpnc render" AJAX action. Exploitability depends on PHP objects that might be present with certain other plugins or themes.

Recommendations: For versions prior to 6.8.2, update to version 6.8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "tpnc render" AJAX action to minimize the risk of exploitation. Avoid using the options[inline edits] parameter in the affected AJAX endpoint until the issue is resolved.