The nonletter Newsletter subscription optin module (newsletter-subscription-widget-for-sendblaster) contains a CSRF vulnerability that enables an attacker to submit unauthorized requests on behalf of a user. This vulnerability can be exploited to inject stored XSS payloads, potentially compromising user sessions or data. The issue affects all versions up to 1.2.9. The CVSS 3.1 vector indicates the attack can be performed remotely without privileges but requires user interaction, and it impacts confidentiality, integrity, and availability to a limited extent.

Successful exploitation of this vulnerability can result in stored XSS attacks, which may lead to session hijacking, defacement, or other malicious actions executed in the context of the affected application. The CSRF aspect allows attackers to trick authenticated users into submitting malicious requests, increasing the risk of unauthorized actions. The overall impact is rated high due to the combination of CSRF and stored XSS.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling the vulnerable module or implementing additional CSRF protections such as anti-CSRF tokens or same-site cookies. Monitoring for suspicious activity related to the subscription widget is also advisable.