WP-Safety

Newsletter – Send awesome emails from WordPress Security & Risk Analysis

wordpress.org/plugins/newsletter

An email marketing tool for your blog: subscription forms to create your lists with unlimited subscribers and newsletters.

200K active installs v9.1.7 PHP 7.0+ WP 6.1+ Updated Mar 12, 2026
email-marketingnewslettersignup-formssubscriptionwelcome-email
89
A · Safe
CVEs total20
Unpatched0
Last CVEJan 19, 2026
Plugin page Download
Safety Verdict

Is Newsletter – Send awesome emails from WordPress Safe to Use in 2026?

Generally Safe

Score 89/100

Newsletter – Send awesome emails from WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

20 known CVEsLast CVE: Jan 19, 2026Updated 22d ago
Risk Assessment

The 'newsletter' plugin v9.1.7 exhibits a mixed security posture. While it demonstrates good practices with a high percentage of SQL queries using prepared statements and properly escaped output, significant concerns arise from its attack surface and taint analysis results. Eleven of the fifteen AJAX handlers lack authentication checks, creating a substantial entry point for unauthorized actions. Furthermore, the presence of 5 high-severity taint flows indicates potential for malicious data to be processed without adequate sanitization, which could lead to vulnerabilities if not handled carefully. The plugin's vulnerability history, with 20 known CVEs including 2 high-severity issues, points to a pattern of past security weaknesses. While there are currently no unpatched CVEs, the variety of past vulnerability types (SQL Injection, XSS, CSRF, etc.) suggests a need for ongoing vigilance and robust security development processes. Overall, the plugin has strengths in its handling of SQL and output, but the exposure of AJAX endpoints and the high-severity taint flows represent immediate risks that require attention.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flows
  • History of 2 high-severity CVEs
  • History of 18 medium-severity CVEs
  • Bundled outdated library: TinyMCE v1.0
  • Bundled outdated library: Select2
Vulnerabilities
20

Newsletter – Send awesome emails from WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2013
2013
1 CVE in 2015
2015
4 CVEs in 2020
2020
2 CVEs in 2022
2022
2 CVEs in 2023
2023
4 CVEs in 2024
2024
5 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
18

20 total CVEs

CVE-2026-1051medium · 4.3Cross-Site Request Forgery (CSRF)

Newsletter – Send awesome emails from WordPress <= 9.1.0 - Cross-Site Request Forgery to Newsletter Unsubscription

Jan 19, 2026 Patched in 9.1.1 (1d)
CVE-2025-67999medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Newsletter <= 9.0.9 - Authenticated (Administrator+) SQL Injection

Dec 15, 2025 Patched in 9.1.0 (5d)
CVE-2025-3581medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter <= 8.8.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 19, 2025 Patched in 8.8.5 (30d)
CVE-2025-3582medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter <= 8.8.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 19, 2025 Patched in 8.8.5 (52d)
CVE-2025-3584medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter <= 8.8.1 - Authenticated (Admin+) Stored Cross-Site Scripting

May 13, 2025 Patched in 8.8.2 (25d)
CVE-2025-3583medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter <= 8.7.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 14, 2025 Patched in 8.7.1 (23d)
CVE-2024-5317medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter <= 8.3.4 - Unauthenticated Stored Cross-Site Scripting via np1

Jun 4, 2024 Patched in 8.3.5 (1d)
CVE-2024-31434medium · 4.3Cross-Site Request Forgery (CSRF)

Newsletter <= 8.0.6 - Cross-Site Request Forgery

Apr 10, 2024 Patched in 8.0.7 (7d)
CVE-2024-30522medium · 5.3Use of Less Trusted Source

Newsletter <= 8.2.0 - IP Spoofing

Mar 28, 2024 Patched in 8.2.1 (7d)
WF-5c24ee66-7b57-4e4c-bbb5-0451fc24ce4b-newslettermedium · 4.7Cross-Site Request Forgery (CSRF)

Newsletter <= 8.0.6 - Cross-Site Request Forgery

Jan 10, 2024 Patched in 8.0.7 (13d)
CVE-2023-4772medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter <= 7.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Aug 17, 2023 Patched in 7.9.0 (159d)
CVE-2023-27922medium · 4.7Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter <= 7.6.8 - Reflected Cross-Site Scripting

Mar 27, 2023 Patched in 7.6.9 (302d)
CVE-2022-1889medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter <= 7.4.5 - Authenticated (Admin+) Stored Cross-Site Scripting

May 30, 2022 Patched in 7.4.6 (603d)
CVE-2022-1756medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter – Send awesome emails from WordPress <= 7.4.4 - Reflected Cross-Site Scripting

May 23, 2022 Patched in 7.4.5 (610d)
CVE-2020-35933medium · 6.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter <= 6.8.1 - Reflected Cross-Site Scripting

Aug 3, 2020 Patched in 6.8.2 (1268d)
CVE-2020-35932high · 7.5Deserialization of Untrusted Data

Newsletter <= 6.8.1 - Authenticated PHP Object Injection

Aug 2, 2020 Patched in 6.8.2 (1269d)
WF-2dce9e9a-a2f3-49a9-a6bc-00328632c654-newsletterhigh · 8.3Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter <= 6.7.6 - Stored Cross-Site Scripting

Jul 12, 2020 Patched in 6.7.7 (1290d)
WF-e91e6101-bd30-4cf1-9a39-23218c3bff6f-newslettermedium · 5.5Improper Input Validation

Newsletter <= 6.5.3 - CSV Injection

Mar 16, 2020 Patched in 6.5.4 (1408d)
WF-db2a2ca9-a12c-412d-80f7-66f1dc3e09af-newslettermedium · 4.3URL Redirection to Untrusted Site ('Open Redirect')

Newsletter <= 3.8.2 - Open Redirect

Mar 30, 2015 Patched in 3.8.3 (3221d)
WF-b4c6930a-b413-4acc-a0a4-9940bb8474cc-newslettermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter <= 3.2.6 - Reflected Cross-Site Scripting

May 14, 2013 Patched in 3.2.7 (3906d)
Code Analysis
Analyzed Mar 16, 2026

Newsletter – Send awesome emails from WordPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
51
183 prepared
Unescaped Output
460
1768 escaped
Nonce Checks
15
Capability Checks
31
File Operations
12
External Requests
6
Bundled Libraries
2

Bundled Libraries

TinyMCE1.0Select2

SQL Query Safety

78% prepared234 total queries

Output Escaping

79% escaped2228 total outputs
Data Flows
26 unsanitized

Data Flow Analysis

25 flows26 with unsanitized paths
get_block_form (composer\composer-admin.php:43)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
11 unprotected

Newsletter – Send awesome emails from WordPress Attack Surface

Entry Points26
Unprotected11

AJAX Handlers 15

authwp_ajax_tnpc_optionscomposer\composer-admin.php:25
authwp_ajax_tnpc_get_all_presetscomposer\composer-admin.php:26
authwp_ajax_tnpc_get_presetcomposer\composer-admin.php:27
authwp_ajax_tnpc_rendercomposer\composer-admin.php:28
authwp_ajax_tnpc_testcomposer\composer-admin.php:29
authwp_ajax_tnpc_previewcomposer\composer-admin.php:30
authwp_ajax_tnpc_csscomposer\composer-admin.php:31
authwp_ajax_tnpc_regenerate_emailcomposer\composer-admin.php:32
authwp_ajax_tnpc_block_formcomposer\composer-admin.php:33
authwp_ajax_tnpc_test_raw_htmlemails\emails-admin.php:29
authwp_ajax_tnpplugin.php:154
noprivwp_ajax_tnpplugin.php:155
authwp_ajax_newsletter-logplugin.php:158
authwp_ajax_tnptrstatistics\statistics.php:39
noprivwp_ajax_tnptrstatistics\statistics.php:40

Shortcodes 11

[gallery] includes\composer.php:313
[newsletter] plugin.php:232
[newsletter_replace] plugin.php:233
[newsletter_profile] profile\profile.php:21
[newsletter_profile_field] profile\profile.php:22
[newsletter_export_button] profile\profile.php:29
[newsletter_profile_button] profile\profile.php:30
[newsletter_form] subscription\subscription.php:41
[newsletter_field] subscription\subscription.php:42
[newsletter_unsubscribe_button] unsubscription\unsubscription.php:30
[newsletter_resubscribe_button] unsubscription\unsubscription.php:31
WordPress Hooks 69
actionwp_loadedadmin.php:36
actionadmin_initadmin.php:37
actionadmin_headadmin.php:38
actionin_admin_headeradmin.php:39
actionadmin_menuadmin.php:40
actionadmin_enqueue_scriptsadmin.php:55
filterplugin_row_metaadmin.php:64
actionadmin_bar_menuadmin.php:93
actionadmin_noticesadmin.php:141
actionnewsletter_initclasses\NewsletterAddon.php:30
actionadmin_menuclasses\NewsletterAddon.php:62
actionnewsletter_menuclasses\NewsletterAddon.php:65
filternewsletter_menu_settingsclasses\NewsletterAddon.php:69
filternewsletter_menu_subscribersclasses\NewsletterAddon.php:73
filternewsletter_support_dataclasses\NewsletterAddon.php:76
actionwp_mail_failedclasses\NewsletterDefaultMailer.php:23
actionphpmailer_initclasses\NewsletterDefaultMailer.php:86
filternewsletter_lists_notesclasses\NewsletterFormManagerAddon.php:39
actionnewsletter_register_mailerclasses\NewsletterMailerAddon.php:40
actionprofile_updateclasses\NewsletterMembershipAddon.php:24
actionset_user_roleclasses\NewsletterMembershipAddon.php:25
filternewsletter_current_userclasses\NewsletterMembershipAddon.php:26
filternewsletter_lists_notesclasses\NewsletterMembershipAddon.php:31
filtersafe_style_csscomposer\composer.php:598
filtersafe_style_csscomposer\composer.php:741
actionnewsletter_actionemails\emails.php:27
actionnewsletter_initemails\emails.php:28
actionnewsletter_initincludes\addon-admin.php:19
actionadmin_menuincludes\addon-admin.php:30
filternewsletter_menu_settingsincludes\addon-admin.php:32
filternewsletter_menu_subscribersincludes\addon-admin.php:35
filtermce_buttonsincludes\controls.php:1334
filtermce_buttons_2includes\controls.php:1352
filtercron_schedulesincludes\cron.php:30
actioncron_reschedule_event_errorincludes\cron.php:38
actioncron_unschedule_event_errorincludes\cron.php:42
filterexcerpt_lengthincludes\helper.php:69
filterdisplay_post_statesmain\main-admin.php:21
actionplugins_loadedplugin.php:148
actioninitplugin.php:149
actionwp_loadedplugin.php:150
actionnewsletterplugin.php:152
filtersite_transient_update_pluginsplugin.php:236
actionwp_enqueue_scriptsplugin.php:238
actionnewsletter_cleanplugin.php:250
actionwp_headplugin.php:379
filterdisplay_post_statesprofile\profile-admin.php:21
filternewsletter_replaceprofile\profile.php:23
filternewsletter_page_textprofile\profile.php:24
actionnewsletter_actionprofile\profile.php:25
actionnewsletter_action_dummyprofile\profile.php:26
actionwp_loadedstatistics\statistics.php:34
actionadmin_initsubscription\subscription-admin.php:22
filterdisplay_post_statessubscription\subscription-admin.php:23
actioninitsubscription\subscription.php:30
actionnewsletter_actionsubscription\subscription.php:35
actionnewsletter_action_dummysubscription\subscription.php:36
filternewsletter_page_textsubscription\subscription.php:37
filterthe_contentsubscription\subscription.php:46
actionwp_footersubscription\subscription.php:57
actionwp_enqueue_scriptssubscription\subscription.php:58
actionnewsletter_actionsubscription\subscription.php:60
filternewsletter_replaceunsubscription\unsubscription.php:22
filternewsletter_page_textunsubscription\unsubscription.php:23
filternewsletter_messageunsubscription\unsubscription.php:24
actionnewsletter_actionunsubscription\unsubscription.php:26
actionnewsletter_action_dummyunsubscription\unsubscription.php:27
actionwidgets_initwidget\minimal.php:107
actionwidgets_initwidget\standard.php:156

Scheduled Events 7

newsletter
newsletter
newsletter
newsletter_clean
newsletter_update
newsletter
newsletter
Maintenance & Trust

Newsletter – Send awesome emails from WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version7.0
Downloads33.4M

Community Trust

Rating92/100
Number of ratings1,202
Active installs200K
Alternatives

Newsletter – Send awesome emails from WordPress Alternatives

Newsletter Subscription Form – User Subscriptions Form, Capture Email

Newsletter Subscription Form – User Subscriptions Form, Capture Email

newsletter-subscription-form

A
100

Newsletter Subscription Form for WordPress is the ultimate lead generation, customer acquisition and email marketing plugin to grow and engage your ma &hellip;

1K No CVEs
Hostinger Reach – AI-Powered Email Marketing for WordPress

Hostinger Reach – AI-Powered Email Marketing for WordPress

hostinger-reach

A
100

Launch and grow your email marketing effortlessly with Hostinger Reach. Collect contacts, sync subscribers, and send emails – all in one, AI powered.

1.0M No CVEs
Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce

Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce

sender-net-automated-emails

A
99

Sender is an all-in-one email & SMS marketing platform designed keeping the challenges of ecommerce and small businesses in mind.

5K 2 CVEs
Constant Contact Forms by MailMunch

Constant Contact Forms by MailMunch

constant-contact-forms-by-mailmunch

A
98

The #1 Constant Contact plugin to get more email subscribers. Easily add Constant Contact sign-up forms as popup, embedded widget or sticky top bar.

3K 3 CVEs
SendPulse Email Marketing Newsletter

SendPulse Email Marketing Newsletter

sendpulse-email-marketing-newsletter

A
96

Add a customizable email subscription form to your site, send newsletters, and automate email campaigns with autoresponders using SendPulse.

1K 3 CVEs
Developer Profile

Newsletter – Send awesome emails from WordPress Developer Profile

Stefano Lissa

14 plugins · 515K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
650 days
View full developer profile
Detection Fingerprints

How We Detect Newsletter – Send awesome emails from WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/newsletter/assets/css/admin.css/wp-content/plugins/newsletter/assets/css/style.css/wp-content/plugins/newsletter/assets/js/admin.js/wp-content/plugins/newsletter/assets/js/front.js/wp-content/plugins/newsletter/assets/js/main.js/wp-content/plugins/newsletter/emails/emails.js/wp-content/plugins/newsletter/tnp-list.js
Script Paths
/wp-content/plugins/newsletter/assets/js/main.js/wp-content/plugins/newsletter/assets/js/admin.js/wp-content/plugins/newsletter/assets/js/front.js/wp-content/plugins/newsletter/emails/emails.js/wp-content/plugins/newsletter/tnp-list.js
Version Parameters
newsletter/style.css?ver=newsletter/main.js?ver=newsletter/admin.js?ver=newsletter/front.js?ver=newsletter/emails/emails.js?ver=newsletter/tnp-list.js?ver=

HTML / DOM Fingerprints

CSS Classes
tnp-formtnp-fieldtnp-labeltnp-inputtnp-buttontnp-submittnp-texttnp-email+43 more
HTML Comments
<!-- Newsletter --><!-- Newsletter form --><!-- Newsletter plugin --><!-- END Newsletter -->+6 more
Data Attributes
data-newsletter-iddata-newsletter-formdata-newsletter-fielddata-newsletter-noncedata-tnp-actiondata-tnp-nonce+2 more
JS Globals
tnp_ajaxurltnp_dataNewsletter
REST Endpoints
/wp-json/newsletter/v1/settings/wp-json/newsletter/v1/subscribers/wp-json/newsletter/v1/forms/wp-json/newsletter/v1/campaigns
Shortcode Output
[newsletter][newsletter_replace]
FAQ

Frequently Asked Questions about Newsletter – Send awesome emails from WordPress