CVE-2026-1051: CWE-352 Cross-Site Request Forgery (CSRF) in satollo Newsletter – Send awesome emails from WordPress
CVE-2026-1051 is a medium-severity Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to 9. 1. 0 of the WordPress plugin 'Newsletter – Send awesome emails from WordPress' by satollo. The vulnerability arises from missing or incorrect nonce validation in the hook_newsletter_action() function, allowing unauthenticated attackers to trick logged-in users into unsubscribing newsletter subscribers via forged requests. Exploitation requires user interaction but no authentication by the attacker. While the impact is limited to integrity (unauthorized unsubscriptions), it does not affect confidentiality or availability. No known exploits are currently reported in the wild. European organizations using this plugin in their WordPress environments should prioritize patching or applying mitigations to prevent abuse, especially those relying heavily on newsletter communications. Countries with high WordPress usage and significant digital marketing activities are more likely to be affected. Mitigation involves updating the plugin once a patch is available or implementing custom nonce validation and user interaction safeguards in the interim.
AI Analysis
Technical Summary
CVE-2026-1051 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the 'Newsletter – Send awesome emails from WordPress' plugin developed by satollo. This vulnerability exists in all versions up to and including 9.1.0 due to missing or incorrect nonce validation in the hook_newsletter_action() function. Nonces in WordPress are security tokens used to verify that a request comes from a legitimate source and to prevent CSRF attacks. The absence or improper implementation of nonce validation allows an attacker to craft a malicious link or request that, when clicked or triggered by an authenticated user, causes the user’s browser to perform an unintended action—in this case, unsubscribing newsletter subscribers. The attacker does not need to be authenticated but relies on social engineering to trick a logged-in user into executing the action. The vulnerability affects the integrity of the newsletter subscription list by enabling unauthorized unsubscriptions, but it does not impact the confidentiality of data or the availability of the service. The CVSS v3.1 base score is 4.3, reflecting a medium severity level with network attack vector, low attack complexity, no privileges required, and user interaction required. No public exploits have been reported yet, but the vulnerability is published and should be addressed promptly. The lack of a patch link indicates that a fix may not yet be available, so interim mitigations are necessary.
Potential Impact
For European organizations, this vulnerability primarily threatens the integrity of their newsletter subscriber lists by allowing unauthorized unsubscriptions. This can disrupt marketing campaigns, reduce communication effectiveness, and potentially damage customer relationships. While the vulnerability does not expose sensitive data or cause service outages, the manipulation of subscriber status can lead to loss of trust and reduced engagement. Organizations relying heavily on WordPress-based newsletters for customer outreach, especially in sectors like retail, media, and services, may experience operational disruptions. Additionally, attackers could use this vulnerability as part of a broader social engineering or phishing campaign to undermine brand reputation. The requirement for user interaction limits the scale of automated exploitation but does not eliminate risk, particularly in environments with many logged-in users. Given the widespread use of WordPress and its plugins across Europe, the vulnerability has a broad potential impact if unaddressed.
Mitigation Recommendations
Immediate mitigation steps include monitoring and restricting access to the newsletter management interface to trusted users only, minimizing the number of logged-in users who can be targeted. Administrators should educate users about the risks of clicking unsolicited links while logged into WordPress dashboards. Implementing Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the hook_newsletter_action() endpoint can reduce exploitation risk. Until an official patch is released, developers or administrators can add custom nonce validation checks in the plugin code to enforce proper request verification. Additionally, enabling multi-factor authentication (MFA) for WordPress accounts reduces the risk of compromised credentials being used in conjunction with this vulnerability. Regularly auditing plugin versions and subscribing to security advisories from the plugin vendor and WordPress security communities will ensure timely updates. Finally, organizations should consider segmenting WordPress administrative access and employing least privilege principles to limit potential damage.
Affected Countries
Germany, United Kingdom, France, Italy, Spain, Netherlands, Poland, Sweden
CVE-2026-1051: CWE-352 Cross-Site Request Forgery (CSRF) in satollo Newsletter – Send awesome emails from WordPress
Description
CVE-2026-1051 is a medium-severity Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to 9. 1. 0 of the WordPress plugin 'Newsletter – Send awesome emails from WordPress' by satollo. The vulnerability arises from missing or incorrect nonce validation in the hook_newsletter_action() function, allowing unauthenticated attackers to trick logged-in users into unsubscribing newsletter subscribers via forged requests. Exploitation requires user interaction but no authentication by the attacker. While the impact is limited to integrity (unauthorized unsubscriptions), it does not affect confidentiality or availability. No known exploits are currently reported in the wild. European organizations using this plugin in their WordPress environments should prioritize patching or applying mitigations to prevent abuse, especially those relying heavily on newsletter communications. Countries with high WordPress usage and significant digital marketing activities are more likely to be affected. Mitigation involves updating the plugin once a patch is available or implementing custom nonce validation and user interaction safeguards in the interim.
AI-Powered Analysis
Technical Analysis
CVE-2026-1051 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the 'Newsletter – Send awesome emails from WordPress' plugin developed by satollo. This vulnerability exists in all versions up to and including 9.1.0 due to missing or incorrect nonce validation in the hook_newsletter_action() function. Nonces in WordPress are security tokens used to verify that a request comes from a legitimate source and to prevent CSRF attacks. The absence or improper implementation of nonce validation allows an attacker to craft a malicious link or request that, when clicked or triggered by an authenticated user, causes the user’s browser to perform an unintended action—in this case, unsubscribing newsletter subscribers. The attacker does not need to be authenticated but relies on social engineering to trick a logged-in user into executing the action. The vulnerability affects the integrity of the newsletter subscription list by enabling unauthorized unsubscriptions, but it does not impact the confidentiality of data or the availability of the service. The CVSS v3.1 base score is 4.3, reflecting a medium severity level with network attack vector, low attack complexity, no privileges required, and user interaction required. No public exploits have been reported yet, but the vulnerability is published and should be addressed promptly. The lack of a patch link indicates that a fix may not yet be available, so interim mitigations are necessary.
Potential Impact
For European organizations, this vulnerability primarily threatens the integrity of their newsletter subscriber lists by allowing unauthorized unsubscriptions. This can disrupt marketing campaigns, reduce communication effectiveness, and potentially damage customer relationships. While the vulnerability does not expose sensitive data or cause service outages, the manipulation of subscriber status can lead to loss of trust and reduced engagement. Organizations relying heavily on WordPress-based newsletters for customer outreach, especially in sectors like retail, media, and services, may experience operational disruptions. Additionally, attackers could use this vulnerability as part of a broader social engineering or phishing campaign to undermine brand reputation. The requirement for user interaction limits the scale of automated exploitation but does not eliminate risk, particularly in environments with many logged-in users. Given the widespread use of WordPress and its plugins across Europe, the vulnerability has a broad potential impact if unaddressed.
Mitigation Recommendations
Immediate mitigation steps include monitoring and restricting access to the newsletter management interface to trusted users only, minimizing the number of logged-in users who can be targeted. Administrators should educate users about the risks of clicking unsolicited links while logged into WordPress dashboards. Implementing Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the hook_newsletter_action() endpoint can reduce exploitation risk. Until an official patch is released, developers or administrators can add custom nonce validation checks in the plugin code to enforce proper request verification. Additionally, enabling multi-factor authentication (MFA) for WordPress accounts reduces the risk of compromised credentials being used in conjunction with this vulnerability. Regularly auditing plugin versions and subscribing to security advisories from the plugin vendor and WordPress security communities will ensure timely updates. Finally, organizations should consider segmenting WordPress administrative access and employing least privilege principles to limit potential damage.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-01-16T16:43:52.499Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 696edf804623b1157ce5dbec
Added to database: 1/20/2026, 1:50:56 AM
Last enriched: 1/20/2026, 2:05:17 AM
Last updated: 1/20/2026, 2:56:19 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-14978: CWE-862 Missing Authorization in peachpay PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net)
MediumCVE-2026-23950: CWE-176: Improper Handling of Unicode Encoding in isaacs node-tar
HighCVE-2026-1203: Improper Authentication in CRMEB
MediumCVE-2026-1202: Improper Authentication in CRMEB
MediumCVE-2026-23949: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in jaraco jaraco.context
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.