The Newsletter Popup WordPress plugin up to and including 1.2 does not have CSRF check when deleting list, which could allow malicious users to make logged in admins perform such action via a CSRF attack