Cross-site scripting vulnerability in Newsletter versions before 7.6.9 allows a remote unauthenticated malicious user to inject an arbitrary script.
thenewsletterplugin newsletter