Plattform
wordpress
Komponente
newsletter
Behoben in
9.1.1
CVE-2026-1051 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Newsletter WordPress plugin. This flaw allows unauthenticated attackers to potentially unsubscribe newsletter subscribers by tricking a logged-in user into performing a malicious action. The vulnerability impacts versions 0.0.0 through 9.1.0 of the plugin, and a fix is available in version 9.1.1.
The primary impact of CVE-2026-1051 is the unauthorized removal of subscribers from a WordPress newsletter. An attacker could craft a malicious link or embed it within a website or email, prompting a logged-in user of a WordPress site using the vulnerable plugin to click it. This action would then trigger the subscriber removal without the user's knowledge or consent. While the vulnerability doesn't grant direct access to sensitive data, it can disrupt marketing campaigns and damage user trust. The blast radius is limited to users of the Newsletter plugin within WordPress installations, but the ease of exploitation makes it a concern for many WordPress sites.
CVE-2026-1051 was publicly disclosed on January 20, 2026. There is currently no indication of active exploitation in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the relatively simple nature of CSRF vulnerabilities suggests that they could emerge. The vulnerability's impact is moderate due to the need to trick a logged-in user.
WordPress sites utilizing the Newsletter plugin are at risk. Specifically, sites with a large subscriber base or those relying heavily on email marketing are more vulnerable. Shared hosting environments where plugin updates are managed by the hosting provider may also be at increased risk if updates are not applied promptly.
• wordpress / composer / npm:
grep -r 'hook_newsletter_action()' /var/www/html/wp-content/plugins/newsletter/• wordpress / composer / npm:
wp plugin list | grep newsletter• wordpress / composer / npm:
wp plugin update newsletter --all• generic web: Check WordPress plugin directory for reports of CVE-2026-1051 exploitation.
disclosure
Exploit-Status
EPSS
0.01% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-1051 is to immediately upgrade the Newsletter WordPress plugin to version 9.1.1 or later. If upgrading is not immediately feasible, implement temporary workarounds. A Web Application Firewall (WAF) can be configured to block suspicious requests targeting the hooknewsletteraction() function. Educate users about the risks of clicking on unfamiliar links and to verify the legitimacy of any requests before confirming them. Regularly review WordPress plugin installations and remove any unused or outdated plugins to reduce the attack surface.
Aktualisieren Sie auf Version 9.1.1 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-1051 is a Cross-Site Request Forgery (CSRF) vulnerability in the Newsletter WordPress plugin, allowing attackers to potentially unsubscribe subscribers.
You are affected if you are using the Newsletter WordPress plugin in versions 0.0.0 through 9.1.0.
Upgrade the Newsletter WordPress plugin to version 9.1.1 or later. Consider WAF rules and user awareness training as interim measures.
There is currently no indication of active exploitation in the wild.
Refer to the official Newsletter WordPress plugin website and WordPress security announcements for the latest advisory.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.