{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1051", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-16T16:43:52.499Z", "datePublished": "2026-01-20T01:22:45.980Z", "dateUpdated": "2026-04-08T17:06:15.083Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:15.083Z"}, "affected": [{"vendor": "satollo", "product": "Newsletter \u2013 Send awesome emails from WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "9.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Newsletter \u2013 Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link."}], "title": "Newsletter \u2013 Send awesome emails from WordPress <= 9.1.0 - Cross-Site Request Forgery to Newsletter Unsubscription", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8de2156f-5087-4c16-8e5d-93b5c72ec536?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/newsletter/tags/9.1.0/unsubscription/unsubscription.php#L141"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sergej Ljubojevic"}, {"lang": "en", "type": "finder", "value": "Boris Bogosavac"}], "timeline": [{"time": "2026-01-05T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-17T11:23:47.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-19T11:44:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T20:33:50.543260Z", "id": "CVE-2026-1051", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T20:34:46.858Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1051", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T20:33:50.543260Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T20:33:56.009Z"}}], "cna": {"title": "Newsletter \u2013 Send awesome emails from WordPress <= 9.1.0 - Cross-Site Request Forgery to Newsletter Unsubscription", "credits": [{"lang": "en", "type": "finder", "value": "Sergej Ljubojevic"}, {"lang": "en", "type": "finder", "value": "Boris Bogosavac"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "satollo", "product": "Newsletter \u2013 Send awesome emails from WordPress", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "9.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-05T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-17T11:23:47.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-19T11:44:32.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8de2156f-5087-4c16-8e5d-93b5c72ec536?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/newsletter/tags/9.1.0/unsubscription/unsubscription.php#L141"}], "descriptions": [{"lang": "en", "value": "The Newsletter \u2013 Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-20T01:22:45.980Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1051", "state": "PUBLISHED", "dateUpdated": "2026-01-20T20:34:46.858Z", "dateReserved": "2026-01-16T16:43:52.499Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-20T01:22:45.980Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Newsletter \u2013 Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin de WordPress 'The Newsletter \u2013 Send awesome emails from WordPress' es vulnerable a falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 9.1.0, inclusive. Esto se debe a la validaci\u00f3n de nonce faltante o incorrecta en la funci\u00f3n hook_newsletter_action(). Esto hace posible que atacantes no autenticados den de baja a suscriptores del bolet\u00edn a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un usuario con sesi\u00f3n iniciada para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-1051", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-20T02:15:46.423", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/newsletter/tags/9.1.0/unsubscription/unsubscription.php#L141"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8de2156f-5087-4c16-8e5d-93b5c72ec536?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T19:09:21.364052+00:00", "value": {"mitigation_remediation": ["Upgrade the Newsletter plugin to version 9.1.1 or later to restore proper nonce validation. ", "If an update cannot be applied immediately, modify the unsubscription handler to enforce nonce checks or remove the public unsubscription endpoint entirely. ", "Deploy a web application firewall or security plugin to block or rate\u2011limit requests to the unsubscription URL that lack a valid nonce."], "summary": {"action": "Apply Patch", "impact": "Unsubscribes newsletter subscribers via CSRF"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all versions of the \"Newsletter \u2013 Send awesome emails from WordPress\" plugin distributed by satollo, specifically releases up through version 9.1.0.", "description_and_impact": "The Newsletter plugin lacks proper nonce validation in the hook_newsletter_action function, exposing it to Cross\u2011Site Request Forgery (CWE\u2011352). An attacker can forge a request that, when a logged\u2011in user clicks a malicious link, removes a subscriber from the newsletter list without the user\u2019s knowledge. This flaw can erode a site\u2019s subscription base and undermine user trust, though it does not grant code execution or broad system access.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while an EPSS score of less than 1\u2009% suggests a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalogue. Availability of the vulnerability depends on an attacker convincing a legitimate user to visit a crafted URL; the attacker requires no special privileges beyond creating a forged request. The consequence is the irreversible removal of subscribers, which can impact marketing efforts and audience engagement."}}}}, "created": "2026-01-20T08:40:05.986058+00:00", "updated": "2026-04-15T19:15:12.081053+00:00", "vendors": ["satollo", "satollo$PRODUCT$newsletter_\u2013_send_awesome_emails_from_wordpress", "wordpress", "wordpress$PRODUCT$wordpress"]}