CVE-2025-13515

Name of the Vulnerable Software and Affected Versions WordPress Nouri.sh Newsletter plugin versions up to and including 1.0.1.3

Description The Nouri.sh Newsletter plugin for WordPress is susceptible to Reflected Cross-Site Scripting. This is due to inadequate input sanitization and output escaping. An unauthenticated attacker can inject arbitrary web scripts into pages, which will execute if a user is tricked into performing an action, such as clicking a link. The vulnerability is related to the $ SERVER['PHP SELF'] parameter.

Recommendations Update the Nouri.sh Newsletter plugin to a version later than 1.0.1.3.