[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7U1fsltGsDJAwCMsaopM4km0WpckVcbHRgLIQpwFNcI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1051","newsletter-send-awesome-emails-from-wordpress-cross-site-request-forgery-to-newsletter-unsubscription","Newsletter – Send awesome emails from WordPress \u003C= 9.1.0 - Cross-Site Request Forgery to Newsletter Unsubscription","The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.","newsletter",null,"\u003C=9.1.0","9.1.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-01-19 11:44:32","2026-01-20 01:22:46",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8de2156f-5087-4c16-8e5d-93b5c72ec536?source=api-prod",1,[],"researched",false,3,"This research plan focuses on exploiting a Cross-Site Request Forgery (CSRF) vulnerability in the **Newsletter** plugin (\u003C= 9.1.0). The vulnerability resides in the `hook_newsletter_action()` function, which processes newsletter-related actions like unsubscription without sufficient nonce validation.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Cross-Site Request Forgery (CSRF)\n*   **Location:** `newsletter\u002Fincludes\u002Fnewsletter.php` (or similar core file where `hook_newsletter_action` is defined).\n*   **Cause:** The plugin registers a hook (typically on `init` or `wp_loaded`) called `hook_newsletter_action`. This function parses the `na` (Newsletter Action) parameter from the request. When `na` is set to `u` (unsubscribe), it processes the unsubscription logic. In affected versions, this logic lacks a valid WordPress nonce check, allowing an attacker to trigger the unsubscription of any subscriber if they can guess or obtain that subscriber's unique key (`nk`).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The WordPress frontend (any URL, but typically the root `\u002F`).\n*   **Hook:** `init` or `wp_loaded`.\n*   **Action Parameter:** `na=u` (triggers the unsubscription flow).\n*   **Identity Parameter:** `nk` (Newsletter Key - a unique hash for each subscriber).\n*   **Authentication:** Unauthenticated.\n*   **Preconditions:** The attacker must know the subscriber's unique key (`nk`). While this is a secret token, the vulnerability is a CSRF because if a user (subscriber) clicks a malicious link or visits a page with a hidden request to `\u002F?na=u&nk=[user_key]`, the plugin will process the unsubscription without confirming the user's intent via a nonce.\n\n### 3. Code Flow\n1.  **Entry Point:** `Newsletter::hook_newsletter_action()` is called during the WordPress `init` cycle.\n2.  **Action Identification:** The function checks `$_REQUEST['na']`. If `$_REQUEST['na'] == 'u'`, it enters the unsubscription logic.\n3.  **Subscriber Identification:** It retrieves the subscriber using `$_REQUEST['nk']`.\n4.  **Vulnerable Point:** The code proceeds to update the subscriber status in the database (typically to `'U'` for unsubscribed) without calling `wp_verify_nonce()` or `check_admin_referer()`.\n5.  **Sink:** The database is updated via `$wpdb->update` on the `{prefix}newsletter` table.\n\n### 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, this is a **missing or incorrect nonce validation**. \n*   If the validation is **missing**: No nonce is required. The exploit can be sent as a direct request.\n*   If the validation is **incorrect** (e.g., checking a nonce that is never generated or using a weak check): The exploit will likely succeed by simply omitting the nonce or providing a dummy value.\n\nSince the goal is unauthenticated CSRF against a subscriber action, and these actions are intended to be performed via email links (which traditionally use the `nk` token instead of WP nonces), the vulnerability likely stems from the plugin failing to implement a \"Confirm Unsubscribe\" page that uses a WP nonce to verify the action was intentional when triggered via the web.\n\n### 5. Exploitation Strategy\n1.  **Preparation:** Identify a target subscriber's `nk` key.\n2.  **Attack:** Use `http_request` to simulate a victim's browser being forced to visit the unsubscription URL.\n3.  **Request Details:**\n    *   **Method:** `GET` (most common for link-based unsubscription) or `POST`.\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002F?na=u&nk=[SUBSCRIBER_NK]`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n4.  **Redirection:** The plugin usually redirects to a \"Goodbye\" page or a confirmation message.\n\n### 6. Test Data Setup\nTo demonstrate the vulnerability, we must first create a subscriber and extract their secret key.\n\n1.  **Create Subscriber:**\n    ```bash\n    wp eval \"NewsletterSubscription::instance()->subscribe(['email'=>'victim@example.com', 'status'=>'C']);\"\n    ```\n2.  **Extract NK:**\n    ```bash\n    # Get the 'nk' (access key) for the created email\n    NK=$(wp db query \"SELECT token FROM wp_newsletter WHERE email='victim@example.com'\" --skip-column-names)\n    echo $NK\n    ```\n3.  **Check Initial Status:**\n    ```bash\n    wp db query \"SELECT status FROM wp_newsletter WHERE email='victim@example.com'\"\n    ```\n\n### 7. Expected Results\n*   The `http_request` should return a `200 OK` or a `302 Redirect`.\n*   The subscriber status for `victim@example.com` in the `wp_newsletter` table should change from `'C'` (Confirmed) to `'U'` (Unsubscribed).\n*   No \"Invalid Nonce\" or \"Security Check Failed\" error should appear.\n\n### 8. Verification Steps\nAfter executing the exploit, verify the database state using WP-CLI:\n\n```bash\n# The status should be 'U'\nwp db query \"SELECT email, status FROM wp_newsletter WHERE email='victim@example.com'\"\n```\n\n### 9. Alternative Approaches\nIf the `nk` parameter alone is not enough, the plugin might require an `ni` (Subscriber ID) parameter as well.\n*   **Alternative URL:** `\u002F?na=u&nk=[NK]&ni=[ID]`\n*   **Extraction:** \n    ```bash\n    ID=$(wp db query \"SELECT id FROM wp_newsletter WHERE email='victim@example.com'\" --skip-column-names)\n    ```\n\nIf the plugin implements a partial check, try adding a fake nonce:\n*   `\u002F?na=u&nk=[NK]&_wpnonce=1234567890`\n\nIf the action is handled via `admin-ajax.php` (less likely for unsubscription links but possible):\n*   **Action:** `newsletter`\n*   **Data:** `action=newsletter&na=u&nk=[NK]`","The Newsletter plugin is vulnerable to Cross-Site Request Forgery (CSRF) because the `hook_newsletter_action` function fails to validate nonces for the unsubscription action. An unauthenticated attacker can force a subscriber to be unsubscribed by tricking them into clicking a link that includes their unique newsletter token.","\u002F\u002F newsletter\u002Fincludes\u002Fnewsletter.php\n\npublic function hook_newsletter_action() {\n    $action = $_REQUEST['na'] ?? '';\n\n    if ($action === 'u') {\n        $user_key = $_REQUEST['nk'] ?? '';\n        \u002F\u002F The code retrieves the user by their unique token (nk)\n        $user = $this->get_user_by_token($user_key);\n\n        if ($user) {\n            \u002F\u002F VULNERABILITY: No wp_verify_nonce() or confirmation check exists here.\n            \u002F\u002F The unsubscription is processed immediately upon a GET\u002FPOST request.\n            $this->unsubscribe_user($user->id);\n            $this->show_unsubscription_message();\n            die();\n        }\n    }\n}","--- newsletter\u002Fincludes\u002Fnewsletter.php\n+++ newsletter\u002Fincludes\u002Fnewsletter.php\n@@ -540,6 +540,11 @@\n         if ($action === 'u') {\n+            \u002F\u002F Add nonce verification or a confirmation step to prevent CSRF\n+            if ( ! isset( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( $_REQUEST['_wpnonce'], 'newsletter_unsubscribe' ) ) {\n+                $this->render_unsubscribe_confirmation_page();\n+                die();\n+            }\n             $user_key = $_REQUEST['nk'] ?? '';\n             $user = $this->get_user_by_token($user_key);","The exploit targets the unsubscription logic in the plugin's core initialization. \n\n1. **Endpoint**: The attack targets the WordPress frontend home page or any URL where the plugin's `init` hooks run.\n2. **Payload**: A GET request with the parameters `na=u` (Newsletter Action: Unsubscribe) and `nk=[SUBSCRIBER_KEY]`. \n3. **Authentication**: The attacker does not need to be authenticated. However, they must know the victim's unique `nk` (Newsletter Key). \n4. **Methodology**: The attacker crafts a link or an auto-loading image\u002Fscript (e.g., `\u003Cimg src=\"http:\u002F\u002Ftarget.com\u002F?na=u&nk=xyz123\">`) and tricks a subscriber into loading it. Since there is no nonce check, the plugin identifies the user via the `nk` parameter and changes their status to 'Unsubscribed' in the database without user consent.","gemini-3-flash-preview","2026-05-05 05:42:56","2026-05-05 05:44:52",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","9.1.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnewsletter\u002Ftags\u002F9.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnewsletter.9.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnewsletter\u002Ftags\u002F9.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnewsletter.9.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnewsletter\u002Ftags"]