CVE-2026-1051
Unknown Unknown - Not Provided
CSRF Vulnerability in Newsletter WordPress Plugin Allows Unsubscribe Abuse

Publication date: 2026-01-20

Last updated on: 2026-01-20

Assigner: Wordfence

Description
The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-01-20
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1051
EUVD
EUVD-2026-3489
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
newsletter newsletter to 9.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Newsletter WordPress plugin (up to version 9.1.0). It occurs because the plugin's hook_newsletter_action() function lacks proper nonce validation, allowing unauthenticated attackers to trick logged-in users into unsubscribing newsletter subscribers by making them perform unintended actions, such as clicking a malicious link.

Impact Analysis

An attacker exploiting this vulnerability can cause logged-in users to unknowingly unsubscribe newsletter subscribers without their consent. This can lead to loss of subscribers, disruption of communication with your audience, and potential damage to your newsletter's reputation and effectiveness.

Detection Guidance

This vulnerability involves Cross-Site Request Forgery (CSRF) on the Newsletter WordPress plugin's unsubscription functionality. Detection can focus on monitoring for unusual or unauthorized unsubscribe requests, especially POST requests to the newsletter action URL with actions like 'uc' (unsubscribe confirm) or 'u' (unsubscribe). You can inspect web server logs for such requests originating from unexpected sources or without proper nonce validation. For example, using command-line tools to search logs for unsubscribe actions: 1. grep 'action=uc' /path/to/access.log 2. grep 'action=u' /path/to/access.log Additionally, monitoring for suspicious HTTP_REFERER headers or unexpected user agents in these requests may help detect exploitation attempts. However, no specific detection commands are provided in the resources. [2]

Mitigation Strategies

Immediate mitigation steps include updating the Newsletter plugin to a version later than 9.1.0 where the nonce validation issue is fixed. If an update is not immediately possible, consider disabling the unsubscription functionality or restricting access to it to trusted users only. Additionally, implementing Web Application Firewall (WAF) rules to block suspicious unsubscribe requests or requests lacking proper nonce tokens can help mitigate exploitation. Monitoring and blocking known bots and automated requests, as the plugin attempts, can also reduce risk. Finally, educating users to avoid clicking suspicious links can help prevent CSRF attacks. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1051. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart