CVE-2020-35933

Name of the Vulnerable Software and Affected Versions: Newsletter plugin versions prior to 6.8.2 for WordPress

Description: A Reflected Authenticated Cross-Site Scripting (XSS) issue allows remote attackers to trick a victim into submitting a tnpc render AJAX request. This request can contain either JavaScript in the options parameter or a base64-encoded JSON string containing JavaScript in the encoded options parameter.

Recommendations: For versions prior to 6.8.2, update to version 6.8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the tnpc render AJAX endpoint until a patch is applied. Avoid using the options and encoded options parameters in the affected AJAX request until the issue is resolved.