The MailPoet Newsletters plugin for WordPress is vulnerable to a security issue known as Reflected Cross-Site Scripting up to version 2.6.19. This means it is possible for someone without permission to inject unwanted web scripts into pages which can be activated if they can trick a user into performing an action such as clicking a link. This happens because the plugin does not properly check the input and output for malicious content.