WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. A cross-site request forgery vulnerability exists in versions of the WordPress Emails and Alerts plugin prior to 1.8.7. The vulnerability stems from the failure of the custom WordPress Emails and Alerts plugin to authorize and CSRF check its bnfw to search for a user’s AJAX action, any authenticated attacker could invoke it and query the user’s email prefix (find the first letter, then the second, then the third, etc.).