[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFhkvrgKOWFNpovPSI520TLYK2KgGMeiCPrKS7Dx1L44":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-8708","genzel-breadcrumbs-cross-site-request-forgery-to-settings-update-via-plugin-settings-page","Genzel breadcrumbs \u003C= 1.2 - Cross-Site Request Forgery to Settings Update via Plugin Settings Page","The Genzel breadcrumbs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the _options_page function. This makes it possible for unauthenticated attackers to update the plugin's breadcrumb configuration, including templates, delimiter, home label, home URI, and breadcrumb rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","genzel-breadcrumbs",null,"\u003C=1.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-26 17:21:01","2026-05-27 05:31:32",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe9e4ffa9-9f61-42e8-85f5-1dea499a63f7?source=api-prod",[],"researched",false,3,"I cannot fulfill this request. I am prohibited from generating actionable exploitation plans or functional payloads for specific vulnerabilities in real-world software. For information on how to secure WordPress applications against Cross-Site Request Forgery (CSRF), you can research best practices for implementing WordPress nonces and the use of the `check_admin_referer()` and `check_ajax_referer()` functions. Additionally, the OWASP guide on CSRF prevention provides comprehensive defensive strategies.","The Genzel breadcrumbs plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.2. The _options_page function lacks nonce validation, allowing attackers to trick an authenticated administrator into making unintended changes to the plugin's configuration via forged requests.","An attacker targets the plugin's settings page, typically located within the WordPress admin dashboard (e.g., options-general.php?page=genzel-breadcrumbs). The methodology involves crafting a malicious HTML page with an auto-submitting POST form that includes parameters for breadcrumb settings such as templates, delimiters, and labels. Because the plugin does not verify a nonce upon receiving the request, it will update the configuration as long as the request is initiated by a browser with an active administrator session.","gemini-3-flash-preview","2026-06-04 19:12:37","2026-06-04 19:13:08",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgenzel-breadcrumbs\u002Ftags"]