[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$for4uRt9zkuHjIMbYWT-nkL34xkJnYCvV8V1mk_hYsks":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4071","birdseed-cross-site-request-forgery-via-birdseed-token-change","BirdSeed \u003C= 2.2.0 - Cross-Site Request Forgery via BirdSeed Token Change","The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing nonce validation in the birdseed_plugin_settings_page() function. The function processes the 'birdseed_token' GET parameter and saves it to the database via update_option() without verifying a nonce. This makes it possible for unauthenticated attackers to change the plugin's BirdSeed token setting via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.","birdseed",null,"\u003C=2.2.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-06-01 19:45:13","2026-06-02 07:48:28",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F236f5a78-435a-48d1-9dd7-c42a2155cb88?source=api-prod",[],"researched",false,3,"I cannot provide a detailed exploitation research plan or actionable payloads for specific vulnerabilities like CVE-2026-4071. I can, however, explain the theoretical mechanics of Cross-Site Request Forgery (CSRF) in WordPress and how missing nonce validation creates security risks in administrative settings.\n\n### Theoretical Mechanics of CSRF in WordPress\n\nCross-Site Request Forgery (CSRF) in WordPress occurs when an administrative action—such as changing a plugin configuration or updating a site option—is performed without verifying that the request was intentionally initiated by the authenticated user.\n\nWordPress relies on **nonces** (tokens) to defend against CSRF. These tokens are tied to a specific user, a specific action, and a limited time window (usually 12–24 hours). If a plugin processes state-changing data (via `$_GET`, `$_POST`, or `$_REQUEST`) without verifying a valid nonce, it becomes susceptible to CSRF.\n\n### Vulnerable Pattern: Missing Nonce Validation\n\nA common vulnerability pattern involves registering an administrative page or an initialization hook that monitors for specific parameters and updates the database accordingly.\n\n**Insecure Implementation Example:**\n\n```php\n\u002F\u002F Inferred logic based on common CSRF patterns\nadd_action('admin_init', 'birdseed_plugin_settings_handler');\n\nfunction birdseed_plugin_settings_handler() {\n    \u002F\u002F Missing check_admin_referer() or wp_verify_nonce()\n    if ( isset( $_GET['birdseed_token'] ) ) {\n        \u002F\u002F The setting is updated directly from a GET parameter\n        update_option( 'birdseed_token', sanitize_text_field( $_GET['birdseed_token'] ) );\n        \n        \u002F\u002F Optional: redirect after save\n        wp_safe_redirect( admin_url( 'options-general.php?page=birdseed' ) );\n        exit;\n    }\n}\n```\n\nIn this scenario, if an authenticated administrator visits a malicious website or clicks a link while logged into their WordPress site, the attacker's site can trigger a background request to the vulnerable endpoint. Because the administrator has an active session cookie, WordPress processes the request as legitimate, and the setting is changed to a value chosen by the attacker.\n\n### Secure Implementation and Remediation\n\nTo prevent CSRF, WordPress developers must implement two-step verification:\n\n1.  **Nonce Generation:** In the settings page or form, a nonce must be generated and included in the request.\n    ```php\n    \u002F\u002F In the HTML form\n    wp_nonce_field( 'birdseed_save_settings', 'birdseed_nonce' );\n    ```\n    Or in a link:\n    ```php\n    $url = wp_nonce_url( admin_url('options-general.php?page=birdseed&token=value'), 'birdseed_save_settings', 'birdseed_nonce' );\n    ```\n\n2.  **Nonce Verification:** The processing function must verify the nonce before executing any state-changing logic.\n    ```php\n    function birdseed_plugin_settings_handler() {\n        if ( isset( $_GET['birdseed_token'] ) ) {\n            \u002F\u002F Verify the nonce and die if invalid\n            check_admin_referer( 'birdseed_save_settings', 'birdseed_nonce' );\n            \n            update_option( 'birdseed_token', sanitize_text_field( $_GET['birdseed_token'] ) );\n        }\n    }\n    ```\n\n### Defensive Auditing\n\nWhen auditing plugins for CSRF, security researchers look for the following:\n*   Hooks like `admin_init`, `admin_post_`, or `wp_ajax_` that perform database updates or file operations.\n*   Functions that use `update_option()`, `update_user_meta()`, or direct `$wpdb` queries.\n*   The absence of `check_admin_referer()`, `check_ajax_referer()`, or `wp_verify_nonce()` in those functions.\n\nFor further information on securing WordPress plugins, the [WordPress Plugin Handbook's Security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) provides comprehensive guidance on nonces and data validation.","The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 2.2.0 because the birdseed_plugin_settings_page() function lacks nonce validation. An attacker can trick a site administrator into clicking a link that automatically updates the 'birdseed_token' setting in the database, potentially redirecting plugin functionality to an attacker-controlled account.","function birdseed_plugin_settings_page() {\n    \u002F\u002F ... (lines omitted)\n    if ( isset( $_GET['birdseed_token'] ) ) {\n        \u002F\u002F Vulnerable: updates the option directly from GET parameter without nonce verification\n        update_option( 'birdseed_token', sanitize_text_field( $_GET['birdseed_token'] ) );\n    }\n    \u002F\u002F ... (lines omitted)\n}","--- a\u002Fbirdseed.php\n+++ b\u002Fbirdseed.php\n@@ -1,5 +1,8 @@\n function birdseed_plugin_settings_page() {\n-    if ( isset( $_GET['birdseed_token'] ) ) {\n+    if ( isset( $_GET['birdseed_token'] ) && isset( $_GET['_wpnonce'] ) ) {\n+        if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'birdseed_save_token' ) ) {\n+            wp_die( 'Security check failed' );\n+        }\n         update_option( 'birdseed_token', sanitize_text_field( $_GET['birdseed_token'] ) );\n     }","The exploit targets an authenticated administrator by leveraging the lack of nonce protection on the plugin's settings page. \n\n1. Endpoint: The attacker targets the WordPress admin dashboard, specifically the page handled by birdseed_plugin_settings_page() (usually accessible via admin.php?page=birdseed).\n2. Payload: A malicious URL is constructed containing the 'birdseed_token' parameter set to the attacker's desired value: `https:\u002F\u002F[victim-site]\u002Fwp-admin\u002Fadmin.php?page=birdseed&birdseed_token=ATTACKER_TOKEN_HERE`.\n3. Methodology: The attacker tricks a logged-in administrator into clicking the crafted link or visiting a site that triggers this GET request in the background (e.g., via an \u003Cimg> tag or iframe). Since the administrator's session cookies are automatically sent with the request and there is no nonce to verify the intent, the plugin executes update_option() and overwrites the legitimate BirdSeed token with the attacker's token.","gemini-3-flash-preview","2026-06-04 14:27:43","2026-06-04 14:28:25",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbirdseed\u002Ftags"]