A Cross‑Site Request Forgery flaw in the Newsletter subscription optin module allows an attacker to submit a crafted request that results in arbitrary malicious script being stored in the WordPress database. When a site visitor subsequently loads a page containing the stored data, the script executes in their browser, leading to credential theft, session hijacking, or defacement. This issue is formally classified as CWE‑352 and highlights that improper request validation can compromise client‑side code execution.

WordPress sites running the Newsletter subscription optin module plugin version 1.2.9 or earlier are vulnerable. The plugin, known as newsletter‑subscription‑widget‑for‑sendblaster, is distributed under the nonletter namespace and is commonly referenced in WordPress plugin repositories.

The CVSS score of 7.1 indicates a high overall risk. The EPSS score is below 1%, suggesting exploitation is currently unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog. An attacker could potentially exploit this vulnerability by forging a request to the plugin’s endpoint, resulting in a malicious payload being stored in the WordPress database and executed when visitors load the affected page (inferred). The stored payload would persist until the database entry is modified or the plugin is removed.