In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Reflected Cross-Site Scripting in Newsletter

Automattic’s WPScan claimed the plugin Newsletter contained reflected cross-site scripting (XSS) vulnerability, where the “vulnerability” would require using a web browser that hasn’t been received security updates for five years:

The plugin does not sanitize and escape the $_SERVER[‘REQUEST_URI’] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.

If you are using an insecure web browser in an insecure operating system (since the versions of Windows that worked with Internet Explorer 9 are no longer supported either) you have a bigger issue than what is supposed to be the vulnerability here.

This false report was given a CVE id by WPScan, CVE-2022-1756, despite not really being a vulnerability.

---

Plugin Security Scorecard Grade for WPScan

Checked on April 12, 2025

See issues causing the plugin to get less than A+ grade