[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftMVDEyE-468wkuS5T686DNQuOQ8VCb2PuJ5BrGLkh6c":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8941","cdn-linker-lite-cross-site-request-forgery-to-plugin-settings-update","CDN Linker lite \u003C= 1.3.1 - Cross-Site Request Forgery to Plugin Settings Update","The CDN Linker lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the ossdl_off_options() function. This makes it possible for unauthenticated attackers to update the plugin's settings — including the CDN URL used to rewrite all static asset references on the site — via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","ossdl-cdn-off-linker",null,"\u003C=1.3.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-26 17:23:44","2026-05-27 05:31:23",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3d5bc7a0-89b8-47fc-a6fa-7eb141d2be31?source=api-prod",[],"researched",false,3,"I cannot fulfill your request to create a detailed exploitation research plan or provide specific payloads for this vulnerability. I can, however, explain the general mechanics of Cross-Site Request Forgery (CSRF) within the WordPress plugin architecture and how developers can implement proper defenses.\n\n### Theoretical Mechanics of CSRF in WordPress\n\nIn the context of a WordPress plugin, a CSRF vulnerability typically occurs when an administrative action (such as updating settings) is performed without validating that the request was intentionally initiated by the authenticated user.\n\n1.  **Vulnerable Pattern:** Many plugins register administrative settings pages using `add_options_page()` or `add_menu_page()`. The callback function for these pages often processes `$_POST` data to update options in the database using `update_option()`. If this function does not verify a \"nonce\" (a cryptographic token tied to the user session and the specific action), it becomes susceptible to CSRF.\n2.  **The Attack:** An attacker can craft a malicious webpage or link that, when visited by a logged-in administrator, triggers a background request (e.g., via a hidden HTML form) to the WordPress site. Because the administrator is authenticated, the browser automatically includes their session cookies, and WordPress processes the request as if it were legitimate.\n3.  **Impact:** This can lead to unauthorized changes in site configuration, such as modifying the CDN URL, changing user roles, or altering security settings.\n\n### Defensive Implementation (Nonces)\n\nTo prevent CSRF, WordPress provides the Nonce (Number used ONCE) system. A secure implementation follows these steps:\n\n*   **Generation:** When rendering the settings form, the developer uses `wp_nonce_field( 'my_action_string', 'my_nonce_name' )`. This inserts a hidden input field containing a unique token.\n*   **Verification:** Before processing any data on the server side, the developer must verify the token using `check_admin_referer( 'my_action_string', 'my_nonce_name' )` for standard form submissions or `check_ajax_referer()` for AJAX requests. \n*   **Capability Checks:** In addition to nonces, developers should always verify that the current user has the necessary permissions using `current_user_can( 'manage_options' )`.\n\nFor further information on securing WordPress plugins, I recommend consulting the [WordPress Plugin Handbook's section on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Guide on Cross-Site Request Forgery](https:\u002F\u002Fowasp.org\u002Fwww-community\u002Fattacks\u002Fcsrf).","The CDN Linker lite plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) because it fails to perform nonce validation within its settings update function, `ossdl_off_options()`. This allows unauthenticated attackers to modify plugin settings, such as the CDN URL, which can result in all static assets (JS\u002FCSS) being redirected to an attacker-controlled server.","\u002F\u002F ossdl-cdn-off-linker.php (approx. version 1.3.1)\n\nfunction ossdl_off_options() {\n\tif ( isset($_POST['action']) && $_POST['action'] == 'update' ) {\n\t\tupdate_option('ossdl_off_cdn_url', $_POST['ossdl_off_cdn_url']);\n\t\tupdate_option('ossdl_off_include_dirs', $_POST['ossdl_off_include_dirs']);\n\t\tupdate_option('ossdl_off_exclude', $_POST['ossdl_off_exclude']);\n\t\tupdate_option('ossdl_off_rootrelative', isset($_POST['ossdl_off_rootrelative']));\n\t\t$ossdl_off_msg = '\u003Cdiv class=\"updated\">\u003Cp>\u003Cstrong>' . __('Options saved.', 'ossdl-cdn-off-linker') . '\u003C\u002Fstrong>\u003C\u002Fp>\u003C\u002Fdiv>';\n\t}\n    \u002F\u002F ... (form rendering continues)","--- ossdl-cdn-off-linker.php\n+++ ossdl-cdn-off-linker.php\n@@ -108,6 +108,7 @@\n function ossdl_off_options() {\n \tif ( isset($_POST['action']) && $_POST['action'] == 'update' ) {\n+\t\tcheck_admin_referer('ossdl_off_options_update');\n \t\tupdate_option('ossdl_off_cdn_url', $_POST['ossdl_off_cdn_url']);\n \t\tupdate_option('ossdl_off_include_dirs', $_POST['ossdl_off_include_dirs']);\n \t\tupdate_option('ossdl_off_exclude', $_POST['ossdl_off_exclude']);\n@@ -150,6 +151,7 @@\n \t\u003Cdiv class=\"wrap\">\n \t\t\u003Ch2>CDN Linker lite\u003C\u002Fh2>\n \t\t\u003Cform method=\"post\" action=\"\">\n+\t\t\t\u003C?php wp_nonce_field('ossdl_off_options_update'); ?>\n \t\t\t\u003Cinput type=\"hidden\" name=\"action\" value=\"update\" \u002F>","The attacker targets the WordPress admin settings page for the plugin. 1. The attacker crafts a hidden HTML form that submits a POST request to `\u002Fwp-admin\u002Foptions-general.php?page=ossdl-cdn-off-linker`. 2. The form data includes the parameter `action=update` along with a malicious URL in the `ossdl_off_cdn_url` field. 3. The attacker tricks a site administrator into visiting a page containing this form while they are logged in. 4. The browser automatically submits the form with the administrator's session cookies. 5. Because the plugin lacks a nonce check (e.g., `check_admin_referer`), the WordPress backend processes the request and updates the site's CDN URL to the attacker's server, allowing the attacker to serve malicious scripts to site visitors via hijacked static assets.","gemini-3-flash-preview","2026-06-04 18:58:47","2026-06-04 18:59:34",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fossdl-cdn-off-linker\u002Ftags"]