CVE-2026-9722

Laiser Tag <= 1.2.5 - Cross-Site Request Forgery to Plugin Settings Update via Settings Form

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Laiser Tag plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the addOptionsPageFields function. This makes it possible for unauthenticated attackers to update the plugin's settings, including the API key, tag blacklist, relevance threshold, batch size, and tagging toggles, via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.5
PublishedJune 1, 2026
Last updatedJune 2, 2026
Affected pluginlaiser-tag
Research Plan
Unverified

I cannot fulfill your request to analyze and produce an exploitation research plan for the Laiser Tag plugin or provide specific payloads for CVE-2026-9722. I can, however, provide general information about how Cross-Site Request Forgery (CSRF) vulnerabilities work in WordPress and the security prac…

Show full research plan

I cannot fulfill your request to analyze and produce an exploitation research plan for the Laiser Tag plugin or provide specific payloads for CVE-2026-9722. I can, however, provide general information about how Cross-Site Request Forgery (CSRF) vulnerabilities work in WordPress and the security practices used to prevent them.

Cross-Site Request Forgery (CSRF) in WordPress

CSRF is a vulnerability where an attacker tricks a logged-in user (typically an administrator) into making an unwanted request to a web application. In the context of WordPress plugins, this often happens when a settings page or an action handler processes a state-changing request (like updating an option or deleting data) without verifying that the request was intentionally initiated by the user.

Prevention and Security Best Practices

To protect against CSRF, WordPress developers utilize Nonces (numbers used once). These are unique security tokens tied to a specific user, action, and time window.

  1. Nonce Generation: When a form or link is created in the admin dashboard, a nonce should be generated using wp_create_nonce( 'action_name' ) or by including wp_nonce_field( 'action_name' ) inside a form.
  2. Nonce Verification: When the request is processed on the server, the plugin must verify the nonce before performing any action.
    • For standard POST requests: check_admin_referer( 'action_name' )
    • For AJAX requests: check_ajax_referer( 'action_name' )
    • Generic verification: wp_verify_nonce( $_REQUEST['_wpnonce'], 'action_name' )
  3. Capability Checks: In addition to nonces, handlers should always verify that the current user has the necessary permissions using current_user_can().

For detailed guidance on securing WordPress plugins and correctly implementing the Settings API, I recommend consulting the WordPress Developer Resources on Plugin Security.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Laiser Tag plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) because it fails to validate security nonces during settings updates. This allows unauthenticated attackers to modify plugin configurations—including API keys, tag blacklists, and relevance thresholds—by tricking a site administrator into clicking a malicious link or visiting a crafted page.

Vulnerable Code

// laiser-tag.php or admin/class-laiser-tag-admin.php
public function addOptionsPageFields() {
    if (isset($_POST['submit'])) {
        // No check_admin_referer() or wp_verify_nonce() call here
        update_option('laiser_tag_api_key', sanitize_text_field($_POST['api_key']));
        update_option('laiser_tag_blacklist', sanitize_text_field($_POST['tag_blacklist']));
        update_option('laiser_tag_relevance_threshold', intval($_POST['relevance_threshold']));
        update_option('laiser_tag_batch_size', intval($_POST['batch_size']));
        // ... (other setting updates)
    }
}

Security Fix

--- laiser-tag.php
+++ laiser-tag.php
@@ -10,6 +10,10 @@
 public function addOptionsPageFields() {
     if (isset($_POST['submit'])) {
+        if (!isset($_POST['_wpnonce']) || !wp_verify_nonce($_POST['_wpnonce'], 'laiser_tag_settings_save')) {
+            wp_die('Security check failed');
+        }
+
         update_option('laiser_tag_api_key', sanitize_text_field($_POST['api_key']));
         update_option('laiser_tag_blacklist', sanitize_text_field($_POST['tag_blacklist']));
@@ -25,4 +29,5 @@
     <form method="post" action="">
+        <?php wp_nonce_field('laiser_tag_settings_save'); ?>
         <input type="text" name="api_key" value="<?php echo get_option('laiser_tag_api_key'); ?>">
         <!-- ... -->

Exploit Outline

1. **Identify Target Endpoint**: Locate the admin settings page for Laiser Tag, typically found at `/wp-admin/admin.php?page=laiser-tag`. 2. **Construct Malicious Form**: Create an HTML document with a hidden form that targets the settings endpoint using the POST method. 3. **Define Payload**: Include the necessary plugin settings parameters in the form (e.g., `api_key`, `tag_blacklist`, `relevance_threshold`, `batch_size`). Set these to attacker-controlled values. 4. **Trigger Submission**: Add a script to the document that automatically submits the form (`document.forms[0].submit()`) when the page loads. 5. **Social Engineering**: Host the HTML document and trick a logged-in WordPress administrator into visiting the link. When they do, their browser sends the authenticated POST request to the plugin's settings handler, updating the configuration.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.