Newsletter – Send awesome emails from WordPress Vulnerability – Cross-Site Request Forgery to Newsletter Unsubscription – CVE-2026-1051 | WordPress Plugin Vulnerability Report

Plugin Name: Newsletter – Send awesome emails from WordPress

Key Information

Software Type: Plugin
Software Slug: newsletter
Software Status: Active
Software Author: satollo
Software Downloads: 32,725,200
Active Installs: 300,000
Last Updated: January 20, 2026
Patched Versions: 9.1.1
Affected Versions: ≤ 9.1.0

Vulnerability Details

Name: Newsletter – Send awesome emails from WordPress ≤ 9.1.0 
Title: Cross-Site Request Forgery to Newsletter Unsubscription
Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE: CVE-2026-1051
CVSS Score: 4.3 
Publicly Published: January 19, 2026
Researchers: Sergej Ljubojevic (Ras-IT), Boris Bogosavac
Description:
The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 9.1.0 due to missing or incorrect nonce validation on the hook_newsletter_action() function. This flaw allows unauthenticated attackers to unsubscribe newsletter subscribers by tricking a logged-in user into clicking a malicious link.

Summary

The Newsletter – Send awesome emails from WordPress plugin for WordPress has a vulnerability in versions up to and including 9.1.0 that allows unauthenticated attackers to unsubscribe legitimate newsletter subscribers via a CSRF attack. This vulnerability has been patched in version 9.1.1.

Detailed Overview

This vulnerability exists because the plugin’s handler for newsletter actions does not properly validate nonces — tokens meant to prevent unauthorized or forged requests. Without this check, an attacker can craft a link that, when clicked by a logged-in user, triggers the unsubscribe action on behalf of another user.

CSRF attacks exploit the trust a web application has in a user’s browser. In this case, a logged-in administrator or editor who clicks a malicious link could unintentionally unsubscribe users from a mailing list without their knowledge or consent. While this does not allow attackers to access sensitive data or take over accounts, it can disrupt communication and user engagement.

The vulnerability was discovered and published in January 2026, with researchers Sergej Ljubojevic and Boris Bogosavac credited for reporting the issue. The plugin’s developers have since corrected the nonce validation in the patched version.

Advice for Users

Immediate Action:
Update the Newsletter plugin to version 9.1.1 or later immediately to fix the CSRF vulnerability.

Check for Signs of Vulnerability:
Review recent unsubscribe events in your newsletter logs. Unexplained unsubscribes may indicate past misuse of the flaw.

Alternate Plugins:
If you continue to have concerns about newsletter plugin security, consider alternatives with a strong security track record.

Stay Updated:
Keeping all plugins up to date is critical — even seemingly minor bugs can be abused in unexpected ways.

Conclusion

This CSRF vulnerability highlights why sites with user interaction should enforce proper request validation. Updating to Newsletter version 9.1.1 or later will protect your subscriber lists and ensure user actions cannot be forged by external sites or emails.

References

• Wordfence Vulnerability Database – Newsletter – Send awesome emails from WordPress: CVE-2026-1051

• National Vulnerability Database – CVE-2026-1051: Cross-Site Request Forgery details

Staying Secure

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We’ll immediately update any out-of-date plugins and harden your site’s security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.