Does Newspack Newsletters have any unpatched vulnerabilities?

No. All known vulnerabilities in Newspack Newsletters have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Newspack Newsletters compatible with WordPress 6.7.5?

According to WordPress.org data, Newspack Newsletters 3.28.5 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is Newspack Newsletters compatible with PHP 7.4+?

Newspack Newsletters requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Newspack Newsletters updated?

Newspack Newsletters was last updated on Mar 3, 2026. Frequent updates are generally a positive security signal.

What is Newspack Newsletters's security score?

Newspack Newsletters has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Newspack Newsletters Security & Risk Analysis

wordpress.org/plugins/newspack-newsletters

Create email newsletters with the block editor and distribute them with your favorite ESP mailing lists.

1K active installs v3.28.5 PHP 7.4+ WP 6.6+ Updated Mar 3, 2026

active-campaignconstant-contactmailchimpnewslettersnewspack

A · Safe

CVEs total3

Unpatched0

Last CVEJun 5, 2025

Plugin page Download

Safety Verdict

Is Newspack Newsletters Safe to Use in 2026?

Generally Safe

Score 97/100

Newspack Newsletters has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Jun 5, 2025Updated 1mo ago

Risk Assessment

The newspack-newsletters plugin v3.29.0-alpha.1 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices by utilizing prepared statements for all SQL queries and a high percentage of output escaping. It also incorporates a reasonable number of nonce and capability checks. However, a significant concern arises from the presence of an unprotected AJAX handler, which represents a direct entry point into the plugin's functionality without proper authorization validation. This is particularly worrisome given the plugin's history of vulnerabilities, including Missing Authorization and Open Redirect issues.

The vulnerability history, despite having no currently unpatched CVEs, reveals a pattern of medium-severity issues that were previously exploitable. The recurrence of Missing Authorization and Open Redirect vulnerabilities suggests potential weaknesses in how user actions and external data are handled. While the taint analysis did not reveal critical or high-severity flows, the presence of unsanitized paths warrants attention. The lack of bundled libraries is a positive indicator, reducing the risk of outdated and vulnerable third-party components.

In conclusion, while the plugin employs some robust security measures like prepared statements and good output escaping, the unprotected AJAX endpoint is a critical flaw that exposes it to potential exploitation. The historical vulnerability patterns, particularly around authorization, further underscore the need for rigorous code review and robust security checks at all entry points. The overall security posture leans towards concerning due to the readily exploitable entry point.

Key Concerns

Unprotected AJAX handler
Flows with unsanitized paths
Previous medium severity vulnerabilities (3 total)
Vulnerability history includes Missing Authorization
Vulnerability history includes Open Redirect

Vulnerabilities

Newspack Newsletters Security Vulnerabilities

CVEs by Year

2 CVEs in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-49325medium · 6.1URL Redirection to Untrusted Site ('Open Redirect')

Newspack Newsletters <= 3.13.0 - Open Redirect

Jun 5, 2025 Patched in 3.14.0 (8d)

CVE-2024-37475medium · 5.3Missing Authorization

Newspack Newsletters <= 2.13.2 - Missing Authorization

Jul 1, 2024 Patched in 2.13.3 (9d)

CVE-2024-37242medium · 4.3Cross-Site Request Forgery (CSRF)

Newspack Newsletters <= 2.13.2 - Cross-Site Request Forgery

Jun 21, 2024 Patched in 2.13.3 (6d)

Code Analysis

Analyzed Mar 16, 2026

Newspack Newsletters Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

265 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared8 total queries

Output Escaping

90% escaped296 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

6 flows2 with unsanitized paths

add_subscription_intent (includes\class-newspack-newsletters-subscription.php:371)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Newspack Newsletters Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_newspack_newsletters_activation_nag_dismissalincludes\class-newspack-newsletters.php:113

WordPress Hooks 144

actioninitincludes\ads\class-ads-placements.php:26

actioninitincludes\ads\class-ads.php:39

actioninitincludes\ads\class-ads.php:40

actioninitincludes\ads\class-ads.php:41

actionrest_api_initincludes\ads\class-ads.php:43

actionadmin_menuincludes\ads\class-ads.php:44

actioncurrent_screenincludes\ads\class-ads.php:45

filterget_post_metadataincludes\ads\class-ads.php:46

actionnewspack_newsletters_tracking_pixel_seenincludes\ads\class-ads.php:47

actionnewspack_newsletters_bulk_tracking_pixel_seenincludes\ads\class-ads.php:48

filternewspack_newsletters_newsletter_contentincludes\ads\class-ads.php:49

actionpre_get_postsincludes\ads\class-ads.php:56

filterget_post_metadataincludes\ads\class-ads.php:346

actionenqueue_block_assetsincludes\class-newspack-newsletters-blocks.php:19

filterremovable_query_argsincludes\class-newspack-newsletters-bulk-actions.php:18

filterbulk_actions-edit-newspack_nl_cptincludes\class-newspack-newsletters-bulk-actions.php:19

filterhandle_bulk_actions-edit-newspack_nl_cptincludes\class-newspack-newsletters-bulk-actions.php:20

actionadmin_noticesincludes\class-newspack-newsletters-bulk-actions.php:21

actioninitincludes\class-newspack-newsletters-editor.php:47

filterblock_editor_settings_allincludes\class-newspack-newsletters-editor.php:48

actionthe_postincludes\class-newspack-newsletters-editor.php:49

actionafter_setup_themeincludes\class-newspack-newsletters-editor.php:50

actionenqueue_block_assetsincludes\class-newspack-newsletters-editor.php:51

filterblock_categories_allincludes\class-newspack-newsletters-editor.php:52

filterallowed_block_types_allincludes\class-newspack-newsletters-editor.php:53

actionrest_post_queryincludes\class-newspack-newsletters-editor.php:54

actionrest_post_queryincludes\class-newspack-newsletters-editor.php:55

actionrest_api_initincludes\class-newspack-newsletters-editor.php:56

filterthe_postsincludes\class-newspack-newsletters-editor.php:57

filtershould_load_remote_block_patternsincludes\class-newspack-newsletters-editor.php:58

filterexcerpt_lengthincludes\class-newspack-newsletters-editor.php:611

filterwc_memberships_trimmed_restricted_excerptincludes\class-newspack-newsletters-editor.php:618

filterrest_pre_echo_responseincludes\class-newspack-newsletters-embed.php:53

actioninitincludes\class-newspack-newsletters-layouts.php:44

actioninitincludes\class-newspack-newsletters-layouts.php:45

actionadmin_enqueue_scriptsincludes\class-newspack-newsletters-quick-edit.php:18

actionquick_edit_custom_boxincludes\class-newspack-newsletters-quick-edit.php:19

actionsave_post_newspack_nl_cptincludes\class-newspack-newsletters-quick-edit.php:20

filterjetpack_photon_skip_imageincludes\class-newspack-newsletters-renderer.php:1682

actionadmin_menuincludes\class-newspack-newsletters-settings.php:20

actionadmin_initincludes\class-newspack-newsletters-settings.php:21

actionadmin_headincludes\class-newspack-newsletters-settings.php:22

actionadmin_footerincludes\class-newspack-newsletters-settings.php:23

actionadmin_initincludes\class-newspack-newsletters-settings.php:24

actionupdate_option_newspack_newsletters_public_posts_slugincludes\class-newspack-newsletters-settings.php:25

actioninitincludes\class-newspack-newsletters-subscription-attempts.php:28

actioninitincludes\class-newspack-newsletters-subscription-attempts.php:29

actionnewspack_newsletters_pre_add_contactincludes\class-newspack-newsletters-subscription-attempts.php:32

actionnewspack_newsletters_update_contact_listsincludes\class-newspack-newsletters-subscription-attempts.php:33

actionrest_api_initincludes\class-newspack-newsletters-subscription.php:39

actionnewspack_registered_readerincludes\class-newspack-newsletters-subscription.php:40

actionresetpass_formincludes\class-newspack-newsletters-subscription.php:43

actionpassword_resetincludes\class-newspack-newsletters-subscription.php:44

actionnewspack_magic_link_authenticatedincludes\class-newspack-newsletters-subscription.php:45

actionnewspack_reader_verifiedincludes\class-newspack-newsletters-subscription.php:46

actiontemplate_redirectincludes\class-newspack-newsletters-subscription.php:47

actiontemplate_redirectincludes\class-newspack-newsletters-subscription.php:48

actionwp_enqueue_scriptsincludes\class-newspack-newsletters-subscription.php:51

filterwoocommerce_get_query_varsincludes\class-newspack-newsletters-subscription.php:52

filterwoocommerce_account_menu_itemsincludes\class-newspack-newsletters-subscription.php:53

actionwoocommerce_account_newsletters_endpointincludes\class-newspack-newsletters-subscription.php:54

actiontemplate_redirectincludes\class-newspack-newsletters-subscription.php:55

actioninitincludes\class-newspack-newsletters-subscription.php:56

actioninitincludes\class-newspack-newsletters-subscription.php:61

actionnewspack_newsletters_process_subscription_intentsincludes\class-newspack-newsletters-subscription.php:529

actioninitincludes\class-newspack-newsletters.php:68

actioninitincludes\class-newspack-newsletters.php:69

actioninitincludes\class-newspack-newsletters.php:70

actioninitincludes\class-newspack-newsletters.php:71

actioninitincludes\class-newspack-newsletters.php:72

actioninitincludes\class-newspack-newsletters.php:73

actionrest_api_initincludes\class-newspack-newsletters.php:74

actionadmin_menuincludes\class-newspack-newsletters.php:75

actiondefault_titleincludes\class-newspack-newsletters.php:76

actionwp_headincludes\class-newspack-newsletters.php:77

filterdisplay_post_statesincludes\class-newspack-newsletters.php:78

filterpost_row_actionsincludes\class-newspack-newsletters.php:82

filterjetpack_relatedposts_filter_optionsincludes\class-newspack-newsletters.php:83

actionadmin_enqueue_scriptsincludes\class-newspack-newsletters.php:85

filternewspack_theme_featured_image_post_typesincludes\class-newspack-newsletters.php:86

filtergform_force_hooks_js_outputincludes\class-newspack-newsletters.php:87

filterrender_blockincludes\class-newspack-newsletters.php:88

actionpre_get_postsincludes\class-newspack-newsletters.php:89

actionthe_postincludes\class-newspack-newsletters.php:90

actionadmin_noticesincludes\class-newspack-newsletters.php:111

actionadmin_enqueue_scriptsincludes\class-newspack-newsletters.php:112

actioninitincludes\class-subscription-lists.php:38

actioninitincludes\class-subscription-lists.php:39

filterwp_editor_settingsincludes\class-subscription-lists.php:41

actionsave_postincludes\class-subscription-lists.php:42

actionadmin_enqueue_scriptsincludes\class-subscription-lists.php:43

actionedit_form_before_permalinkincludes\class-subscription-lists.php:45

actionedit_form_topincludes\class-subscription-lists.php:46

actioninitincludes\plugins\woocommerce-memberships\class-sync-membership-tied-subscribers-cli.php:22

actionplugins_loadedincludes\plugins\woocommerce-memberships\class-woocommerce-memberships.php:55

filternewspack_newsletters_contact_listsincludes\plugins\woocommerce-memberships\class-woocommerce-memberships.php:62

filternewspack_newsletters_subscription_block_available_listsincludes\plugins\woocommerce-memberships\class-woocommerce-memberships.php:63

filternewspack_newsletters_manage_newsletters_available_listsincludes\plugins\woocommerce-memberships\class-woocommerce-memberships.php:64

filternewspack_post_registration_newsletters_listsincludes\plugins\woocommerce-memberships\class-woocommerce-memberships.php:65

filternewspack_auth_form_newsletters_listsincludes\plugins\woocommerce-memberships\class-woocommerce-memberships.php:66

actionwc_memberships_user_membership_status_changedincludes\plugins\woocommerce-memberships\class-woocommerce-memberships.php:67

actionwc_memberships_user_membership_savedincludes\plugins\woocommerce-memberships\class-woocommerce-memberships.php:68

actionwc_memberships_user_membership_deletedincludes\plugins\woocommerce-memberships\class-woocommerce-memberships.php:69

actioninitincludes\service-providers\active_campaign\class-newspack-newsletters-active-campaign-controller.php:21

actionrest_api_initincludes\service-providers\active_campaign\class-newspack-newsletters-active-campaign-controller.php:22

actionupdated_post_metaincludes\service-providers\active_campaign\class-newspack-newsletters-active-campaign.php:67

actionwp_trash_postincludes\service-providers\active_campaign\class-newspack-newsletters-active-campaign.php:68

actionnewspack_newsletters_subscription_lists_metabox_after_tagincludes\service-providers\active_campaign\class-newspack-newsletters-active-campaign.php:70

actionrest_api_initincludes\service-providers\campaign_monitor\class-newspack-newsletters-campaign-monitor-controller.php:21

actionupdated_post_metaincludes\service-providers\campaign_monitor\class-newspack-newsletters-campaign-monitor.php:50

actionrest_api_initincludes\service-providers\class-newspack-newsletters-service-provider.php:69

actionpre_post_updateincludes\service-providers\class-newspack-newsletters-service-provider.php:71

actionsave_postincludes\service-providers\class-newspack-newsletters-service-provider.php:72

actiontransition_post_statusincludes\service-providers\class-newspack-newsletters-service-provider.php:73

actionupdated_post_metaincludes\service-providers\class-newspack-newsletters-service-provider.php:74

actionwp_insert_postincludes\service-providers\class-newspack-newsletters-service-provider.php:75

filterwp_insert_post_dataincludes\service-providers\class-newspack-newsletters-service-provider.php:76

actioninitincludes\service-providers\constant_contact\class-newspack-newsletters-constant-contact-controller.php:21

actionrest_api_initincludes\service-providers\constant_contact\class-newspack-newsletters-constant-contact-controller.php:22

actionadmin_initincludes\service-providers\constant_contact\class-newspack-newsletters-constant-contact.php:68

actionupdate_option_newspack_newsletters_constant_contact_api_keyincludes\service-providers\constant_contact\class-newspack-newsletters-constant-contact.php:69

actionupdate_option_newspack_newsletters_constant_contact_api_secretincludes\service-providers\constant_contact\class-newspack-newsletters-constant-contact.php:70

actionupdated_post_metaincludes\service-providers\constant_contact\class-newspack-newsletters-constant-contact.php:71

actionwp_trash_postincludes\service-providers\constant_contact\class-newspack-newsletters-constant-contact.php:72

actionupdate_option_newspack_mailchimp_api_keyincludes\service-providers\mailchimp\class-newspack-newsletters-mailchimp-cached-data.php:86

filtercron_schedulesincludes\service-providers\mailchimp\class-newspack-newsletters-mailchimp-cached-data.php:89

actionadmin_noticesincludes\service-providers\mailchimp\class-newspack-newsletters-mailchimp-cached-data.php:95

actioninitincludes\service-providers\mailchimp\class-newspack-newsletters-mailchimp-controller.php:23

actionrest_api_initincludes\service-providers\mailchimp\class-newspack-newsletters-mailchimp-controller.php:24

filternewspack_newsletters_newsletter_contentincludes\service-providers\mailchimp\class-newspack-newsletters-mailchimp.php:62

actionupdated_post_metaincludes\service-providers\mailchimp\class-newspack-newsletters-mailchimp.php:63

actionwp_trash_postincludes\service-providers\mailchimp\class-newspack-newsletters-mailchimp.php:64

filternewspack_newsletters_process_linkincludes\service-providers\mailchimp\class-newspack-newsletters-mailchimp.php:65

filternewspack_newsletters_add_contact_reader_error_messageincludes\service-providers\mailchimp\class-newspack-newsletters-mailchimp.php:66

actionnewspack_newsletters_subscription_lists_metabox_after_tagincludes\service-providers\mailchimp\class-newspack-newsletters-mailchimp.php:67

actionadmin_menuincludes\tracking\class-admin.php:18

actionadmin_initincludes\tracking\class-admin.php:19

actionadd_option_newspack_newsletters_use_tracking_pixelincludes\tracking\class-admin.php:20

actionadd_option_newspack_newsletters_use_click_trackingincludes\tracking\class-admin.php:21

actionupdate_option_newspack_newsletters_use_tracking_pixelincludes\tracking\class-admin.php:22

actionupdate_option_newspack_newsletters_use_click_trackingincludes\tracking\class-admin.php:23

actionpre_get_postsincludes\tracking\class-admin.php:31

actioninitsrc\blocks\subscribe\index.php:25

actiontemplate_redirectsrc\blocks\subscribe\index.php:554

Maintenance & Trust

Newspack Newsletters Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedMar 3, 2026

PHP min version7.4

Downloads76K

Community Trust

Rating0/100

Number of ratings0

Active installs1K

Alternatives

Newspack Newsletters Alternatives

MailChimp Importer

mailchimp-importer

Automatically import your MailChimp campaigns into your blog posts. Select an author and categories for your posts.

10 No CVEs

Pretty Opt In Lite – Content Locker for Lead Generation

pretty-opt-in-lite

100

Pretty Opt-In - Content Locker for Lead Generation

0 No CVEs

MC4WP: Mailchimp for WordPress

mailchimp-for-wp

The #1 Mailchimp plugin for WordPress. Allows you to add a multitude of newsletter sign-up methods to your site.

1.0M 11 CVEs

Mailchimp for WooCommerce

mailchimp-for-woocommerce

Connect your store to your Mailchimp audience to track sales, create targeted emails, send abandoned cart emails, and more.

300K 2 CVEs

Redirection for Contact Form 7

wpcf7-redirect

Redirect to any page or URL, execute scripts after submission, save data to the database, and unlock additional submission actions for Contact Form 7.

200K 14 CVEs

Developer Profile

Newspack Newsletters Developer Profile

Automattic

213 plugins · 19.2M total installs

trust score

Avg Security Score

92/100

Avg Patch Time

1384 days

View full developer profile

Detection Fingerprints

How We Detect Newspack Newsletters

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/newspack-newsletters/dist/blocks.js/wp-content/plugins/newspack-newsletters/dist/blocks.css

Script Paths

/wp-content/plugins/newspack-newsletters/dist/blocks.js

Version Parameters

newspack-newsletters/dist/blocks.js?ver=newspack-newsletters/dist/blocks.css?ver=

HTML / DOM Fingerprints

CSS Classes

block-editor-block-list__block

Data Attributes

data-block="newspack-blocks/subscribe"

JS Globals

newspack_newsletters_blocks

FAQ