CVE-2026-1051 — Cross-Site Request Forgery in Newsletter Send Awesome Emails From Wordpress

CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 95.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Satollo Newsletter Send Awesome Emails From Wordpress

Timeline

PublishedJan 20

Description

The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶CVEListV5satollo/newsletter_send_awesome_emails_from_wordpress9.1.0

🔴Vulnerability Details

GHSA

GHSA-2wh9-wm58-w79r: The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and includ↗2026-01-20

▶

CVEList

Newsletter – Send awesome emails from WordPress <= 9.1.0 - Cross-Site Request Forgery to Newsletter Unsubscription↗2026-01-20

▶

🕵️Threat Intelligence

Wiz

CVE-2026-1051 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶