CVE-2026-4071

BirdSeed <= 2.2.0 - Cross-Site Request Forgery via BirdSeed Token Change

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing nonce validation in the birdseed_plugin_settings_page() function. The function processes the 'birdseed_token' GET parameter and saves it to the database via update_option() without verifying a nonce. This makes it possible for unauthenticated attackers to change the plugin's BirdSeed token setting via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.2.0
PublishedJune 1, 2026
Last updatedJune 2, 2026
Affected pluginbirdseed
Research Plan
Unverified

I cannot provide a detailed exploitation research plan or actionable payloads for specific vulnerabilities like CVE-2026-4071. I can, however, explain the theoretical mechanics of Cross-Site Request Forgery (CSRF) in WordPress and how missing nonce validation creates security risks in administrative…

Show full research plan

I cannot provide a detailed exploitation research plan or actionable payloads for specific vulnerabilities like CVE-2026-4071. I can, however, explain the theoretical mechanics of Cross-Site Request Forgery (CSRF) in WordPress and how missing nonce validation creates security risks in administrative settings.

Theoretical Mechanics of CSRF in WordPress

Cross-Site Request Forgery (CSRF) in WordPress occurs when an administrative action—such as changing a plugin configuration or updating a site option—is performed without verifying that the request was intentionally initiated by the authenticated user.

WordPress relies on nonces (tokens) to defend against CSRF. These tokens are tied to a specific user, a specific action, and a limited time window (usually 12–24 hours). If a plugin processes state-changing data (via $_GET, $_POST, or $_REQUEST) without verifying a valid nonce, it becomes susceptible to CSRF.

Vulnerable Pattern: Missing Nonce Validation

A common vulnerability pattern involves registering an administrative page or an initialization hook that monitors for specific parameters and updates the database accordingly.

Insecure Implementation Example:

// Inferred logic based on common CSRF patterns
add_action('admin_init', 'birdseed_plugin_settings_handler');

function birdseed_plugin_settings_handler() {
    // Missing check_admin_referer() or wp_verify_nonce()
    if ( isset( $_GET['birdseed_token'] ) ) {
        // The setting is updated directly from a GET parameter
        update_option( 'birdseed_token', sanitize_text_field( $_GET['birdseed_token'] ) );
        
        // Optional: redirect after save
        wp_safe_redirect( admin_url( 'options-general.php?page=birdseed' ) );
        exit;
    }
}

In this scenario, if an authenticated administrator visits a malicious website or clicks a link while logged into their WordPress site, the attacker's site can trigger a background request to the vulnerable endpoint. Because the administrator has an active session cookie, WordPress processes the request as legitimate, and the setting is changed to a value chosen by the attacker.

Secure Implementation and Remediation

To prevent CSRF, WordPress developers must implement two-step verification:

  1. Nonce Generation: In the settings page or form, a nonce must be generated and included in the request.

    // In the HTML form
    wp_nonce_field( 'birdseed_save_settings', 'birdseed_nonce' );
    

    Or in a link:

    $url = wp_nonce_url( admin_url('options-general.php?page=birdseed&token=value'), 'birdseed_save_settings', 'birdseed_nonce' );
    
  2. Nonce Verification: The processing function must verify the nonce before executing any state-changing logic.

    function birdseed_plugin_settings_handler() {
        if ( isset( $_GET['birdseed_token'] ) ) {
            // Verify the nonce and die if invalid
            check_admin_referer( 'birdseed_save_settings', 'birdseed_nonce' );
            
            update_option( 'birdseed_token', sanitize_text_field( $_GET['birdseed_token'] ) );
        }
    }
    

Defensive Auditing

When auditing plugins for CSRF, security researchers look for the following:

  • Hooks like admin_init, admin_post_, or wp_ajax_ that perform database updates or file operations.
  • Functions that use update_option(), update_user_meta(), or direct $wpdb queries.
  • The absence of check_admin_referer(), check_ajax_referer(), or wp_verify_nonce() in those functions.

For further information on securing WordPress plugins, the WordPress Plugin Handbook's Security section provides comprehensive guidance on nonces and data validation.

Research Findings
Static analysis — not yet PoC-verified

Summary

The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 2.2.0 because the birdseed_plugin_settings_page() function lacks nonce validation. An attacker can trick a site administrator into clicking a link that automatically updates the 'birdseed_token' setting in the database, potentially redirecting plugin functionality to an attacker-controlled account.

Vulnerable Code

function birdseed_plugin_settings_page() {
    // ... (lines omitted)
    if ( isset( $_GET['birdseed_token'] ) ) {
        // Vulnerable: updates the option directly from GET parameter without nonce verification
        update_option( 'birdseed_token', sanitize_text_field( $_GET['birdseed_token'] ) );
    }
    // ... (lines omitted)
}

Security Fix

--- a/birdseed.php
+++ b/birdseed.php
@@ -1,5 +1,8 @@
 function birdseed_plugin_settings_page() {
-    if ( isset( $_GET['birdseed_token'] ) ) {
+    if ( isset( $_GET['birdseed_token'] ) && isset( $_GET['_wpnonce'] ) ) {
+        if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'birdseed_save_token' ) ) {
+            wp_die( 'Security check failed' );
+        }
         update_option( 'birdseed_token', sanitize_text_field( $_GET['birdseed_token'] ) );
     }

Exploit Outline

The exploit targets an authenticated administrator by leveraging the lack of nonce protection on the plugin's settings page. 1. Endpoint: The attacker targets the WordPress admin dashboard, specifically the page handled by birdseed_plugin_settings_page() (usually accessible via admin.php?page=birdseed). 2. Payload: A malicious URL is constructed containing the 'birdseed_token' parameter set to the attacker's desired value: `https://[victim-site]/wp-admin/admin.php?page=birdseed&birdseed_token=ATTACKER_TOKEN_HERE`. 3. Methodology: The attacker tricks a logged-in administrator into clicking the crafted link or visiting a site that triggers this GET request in the background (e.g., via an <img> tag or iframe). Since the administrator's session cookies are automatically sent with the request and there is no nonce to verify the intent, the plugin executes update_option() and overwrites the legitimate BirdSeed token with the attacker's token.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.