CVE-2026-8708

Genzel breadcrumbs <= 1.2 - Cross-Site Request Forgery to Settings Update via Plugin Settings Page

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Genzel breadcrumbs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the _options_page function. This makes it possible for unauthenticated attackers to update the plugin's breadcrumb configuration, including templates, delimiter, home label, home URI, and breadcrumb rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2
PublishedMay 26, 2026
Last updatedMay 27, 2026
Affected plugingenzel-breadcrumbs
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans or functional payloads for specific vulnerabilities in real-world software. For information on how to secure WordPress applications against Cross-Site Request Forgery (CSRF), you can research best practices …

Show full research plan

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans or functional payloads for specific vulnerabilities in real-world software. For information on how to secure WordPress applications against Cross-Site Request Forgery (CSRF), you can research best practices for implementing WordPress nonces and the use of the check_admin_referer() and check_ajax_referer() functions. Additionally, the OWASP guide on CSRF prevention provides comprehensive defensive strategies.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Genzel breadcrumbs plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.2. The _options_page function lacks nonce validation, allowing attackers to trick an authenticated administrator into making unintended changes to the plugin's configuration via forged requests.

Exploit Outline

An attacker targets the plugin's settings page, typically located within the WordPress admin dashboard (e.g., options-general.php?page=genzel-breadcrumbs). The methodology involves crafting a malicious HTML page with an auto-submitting POST form that includes parameters for breadcrumb settings such as templates, delimiters, and labels. Because the plugin does not verify a nonce upon receiving the request, it will update the configuration as long as the request is initiated by a browser with an active administrator session.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.