Vulnerability when using a field as To field in send mail action

[sam-d-brown]

If you're using a field for a message action like a To field, a user can abuse this by setting the field to whatever they want to make the form send message to whatever email address they like.

For example, I have a select field on my form with a list of email addresses and names. I can inspect element, change the selected value to a different email, and the form will send an email to that address.

I've fixed this with some custom validation to make sure the form only sends to a list of pre-defined emails, but this could be fixed in the plugin by checking the email the form is sending to is set on the given field