A high-severity Cross-Site Request Forgery (CSRF) vulnerability in the nonletter Newsletter subscription optin module allows for Stored XSS, posing a risk of website compromise.

The application is susceptible to a Cross-Site Request Forgery (CSRF) attack. An unauthenticated attacker can craft a malicious request that, when executed by an authenticated administrator's browser, injects a persistent malicious script (Stored XSS) into a part of the website served to other users.

This vulnerability has a CVSS score of 7.1, classifying it as High severity. Exploitation could allow an attacker to take over user sessions, steal sensitive information submitted by users, deface the site, or distribute malware to visitors. This directly impacts user trust and the security integrity of the web property.

Immediate Action: The primary remediation is to update the nonletter Newsletter subscription optin module to the latest patched version immediately.

Proactive Monitoring: Regularly audit website content and database entries for signs of injected scripts or unauthorized modifications. Review administrative action logs for suspicious activity.

Compensating Controls: Deploying a Web Application Firewall (WAF) with up-to-date rules against CSRF and XSS attacks can provide an effective, immediate layer of defense.

Public Exploit Available: false

This vulnerability combines two powerful attack vectors and represents a significant threat to the affected website. The High severity rating requires an urgent response. Administrators must prioritize applying the vendor-supplied update to prevent attackers from injecting malicious code into the site.