We can send email to anyone if we have valid nonce token.
By default this token is displayed on every page, with
This can be used to send spam from a non-existent or a forged address.
Proof of Concept:
- 05-01-2015: Discovered
- 05-01-2015: Vendor notified
- 17-01-2015: Version 4.2.27 released, issue resolved