Platform
wordpress
Component
newsletter
Fixed in
9.1.1
CVE-2026-1051 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Newsletter WordPress plugin. This flaw allows unauthenticated attackers to potentially unsubscribe newsletter subscribers by tricking a logged-in user into performing a malicious action. The vulnerability impacts versions 0.0.0 through 9.1.0 of the plugin, and a fix is available in version 9.1.1.
The primary impact of CVE-2026-1051 is the unauthorized removal of subscribers from a WordPress newsletter. An attacker could craft a malicious link or embed it within a website or email, prompting a logged-in user of a WordPress site using the vulnerable plugin to click it. This action would then trigger the subscriber removal without the user's knowledge or consent. While the vulnerability doesn't grant direct access to sensitive data, it can disrupt marketing campaigns and damage user trust. The blast radius is limited to users of the Newsletter plugin within WordPress installations, but the ease of exploitation makes it a concern for many WordPress sites.
CVE-2026-1051 was publicly disclosed on January 20, 2026. There is currently no indication of active exploitation in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the relatively simple nature of CSRF vulnerabilities suggests that they could emerge. The vulnerability's impact is moderate due to the need to trick a logged-in user.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1051 is to immediately upgrade the Newsletter WordPress plugin to version 9.1.1 or later. If upgrading is not immediately feasible, implement temporary workarounds. A Web Application Firewall (WAF) can be configured to block suspicious requests targeting the hooknewsletteraction() function. Educate users about the risks of clicking on unfamiliar links and to verify the legitimacy of any requests before confirming them. Regularly review WordPress plugin installations and remove any unused or outdated plugins to reduce the attack surface.
Update to version 9.1.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1051 is a Cross-Site Request Forgery (CSRF) vulnerability in the Newsletter WordPress plugin, allowing attackers to potentially unsubscribe subscribers.
You are affected if you are using the Newsletter WordPress plugin in versions 0.0.0 through 9.1.0.
Upgrade the Newsletter WordPress plugin to version 9.1.1 or later. Consider WAF rules and user awareness training as interim measures.
There is currently no indication of active exploitation in the wild.
Refer to the official Newsletter WordPress plugin website and WordPress security announcements for the latest advisory.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.