The WordPress plugin, Email Subscribers & Newsletters, prior to 4.2.3 had a flaw that allowed for CSRF to be exploited on all plugin settings.
icegram email subscribers \\& newsletters