Newsletters 4.10 Release Notes

Release notes for version 4.10 of the WordPress Newsletter plugin.

Added

• Support for specifying taxonomy and terms in newsletters_posts shortcode. Only in shortcode text. Find more info here: https://tribulant.com/docs/wordpress-mailing-list-plugin/95/wp-newsletters-shortcodes/
• Shortcode Generator button in the newsletter editor beside Add Media button. For now, it only highlights the text editor button. This makes the feature more noticeable.
• Resend button to a subscriber’s view page under Emails and when viewing a previously sent newsletter in Sent & Draft Emails. This lets you resend most emails to a subscriber. Useful when subscribers let you know that they did not receive an email.
• Send Manage Subscription Email to Subscribers’ bulk actions and the view page. You can now quickly send the manage subscription email to any subscriber. Useful when subscribers do not know how to manage their subscriptions, did not confirm their subscription, or never received an email.
• First Name and Last Name to the default Custom Fields for both paid and free users. It will not override existing firstname and lastname slugs/fields, in case they exist.

Improved

• Queue background processes, improving the reliability of sending large number of emails.
• Add missing information about limits to the lite version’s top admin menu bar.
• Decreased Create Newsletter autosave interval to 20 seconds. Previously, it was 60 seconds.
• Added an attachment warning message when creating a newsletter and attaching a file.
• Move reCAPTCHA v2 invisible badge to bottom right corner of the page.
• In case double opt-in is enabled, admin email notification will now be sent after a subscriber confirms his subscription to a mailing list.

Fixed

• Drag & Drop Builder autosave caused unwanted drafts.
• Radio button labels missing in multilingual websites on various edit pages.
• Patched authenticated Local File Inclusion (LFI) in the *exportdownload* routine (CVE-2025-4857, responsibly reported by @m3ssap0 via Wordfence).
• Added nonce verification, strict filename sanitisation (`sanitize_file_name()`), and directory-scope validation with `realpath()`.
• Updated all generated download links to include the nonce.
• Sending duplicated autoresponders.
• Printing JS while setting the cookie while authenticating.
• Formatting not being saved in Subscribe Forms confirmation email setting.
• Missing template images in the default templates.
• Multisite delete serial on a subsite wasn’t clearing the validation status transient.