关键信息 漏洞描述 漏洞名称: Newsletter < 8.8.5 - Admin+ Stored XSS via Form 描述: 插件未对某些表单设置进行清理和转义,允许高权限用户(如管理员)在禁用 功能时仍能执行存储型跨站脚本攻击。 影响的插件 插件名称: newsletter 修复版本: 8.8.5 参考资料 CVE编号: CVE-2025-3582 URL: https://research.cleantalk.org/cve-2025-3582/ 分类 类型: XSS OWASP Top 10: A7: Cross-Site Scripting (XSS) CWE编号: CWE-79 CVSS评分: 3.5 (低) 其他信息 原始研究员: Dmitriy Ignatyev 提交者: Dmitriy Ignatyev 提交者网站: https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/ 验证状态: Yes WPVDB ID: 19db8521-8dff-48c5-b21a-1001895292e0 时间线 公开发布日期: 2025-05-19 添加日期: 2025-05-19 最后更新日期: 2025-05-19 其他相关漏洞 Nested Pages < 3.2.13 - Contributor+ Stored XSS menu shortcode <= 1.0 - Contributor+ Stored XSS via Shortcode SellKit - Funnel builder and checkout optimizer for WooCommerce to sell more, faster < 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter Multiple Post Passwords < 1.1.2 - Admin+ Stored XSS Table Editor < 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting