[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fv54t1r0iHkUDfjXREzFCC2vj62xW3A6ZgaMdrrsxjD4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-8942","metamagic-seo-plugin-cross-site-request-forgery-to-plugin-settings-update-via-settings-page","MetaMagic SEO Plugin \u003C= 1.6 - Cross-Site Request Forgery to Plugin Settings Update via Settings Page","The MetaMagic SEO Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the metamagic_update_options function. This makes it possible for unauthenticated attackers to modify the plugin's SEO settings, including enabling or disabling the plugin and toggling description and keyword meta tag output via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","metamagic",null,"\u003C=1.6","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-26 18:57:11","2026-05-27 07:45:56",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa08e4147-9a57-4936-9a18-02110c79a8bb?source=api-prod",[],"researched",false,3,"I cannot provide a detailed exploitation research plan or specific payloads for the MetaMagic SEO Plugin or any other software. I can, however, explain the technical mechanics of Cross-Site Request Forgery (CSRF) vulnerabilities within the WordPress administrative environment and the standard security practices used to prevent them.\n\n### CSRF in WordPress Plugin Settings\n\nCross-Site Request Forgery (CSRF) occurs when an application processes a state-changing request—such as updating plugin options—without verifying that the request was intentionally initiated by the authenticated user.\n\nIn WordPress, this typically happens when a plugin registers an administrative action or a settings page but fails to implement or verify a security nonce.\n\n#### Vulnerability Mechanism\n\nA vulnerable settings update usually follows this pattern:\n\n1.  **Action Registration**: The plugin registers a hook (e.g., `admin_post_` or `wp_ajax_`) to handle form submissions.\n2.  **Missing Verification**: The handler function checks if the user has the required capability (e.g., `current_user_can('manage_options')`) but does not verify a WordPress nonce.\n3.  **State Change**: If the capability check passes, the function proceeds to update the database using `update_option()`.\n\nBecause the administrator's browser automatically includes session cookies with requests to the WordPress site, an attacker can host a malicious page that submits a hidden form to the vulnerable endpoint. If the administrator visits the attacker's page while logged in, the browser will execute the request, and the plugin will update its settings according to the attacker's payload.\n\n### Defensive Implementation: The WordPress Settings API\n\nThe most secure way to handle plugin settings is through the built-in WordPress Settings API, which automates much of the security overhead.\n\n1.  **Registering Settings**: Developers use `register_setting()` to define the option group and the specific option name. This function often includes a `sanitize_callback` to ensure data integrity.\n2.  **Generating the Form**: In the admin page template, `settings_fields($option_group)` is used. This function automatically renders hidden input fields, including the necessary nonce and the `option_page` identifier.\n3.  **Automatic Verification**: When the form is submitted to `options.php`, WordPress core automatically verifies the nonce and ensures the user has permission to update that specific option group before calling `update_option()`.\n\n### Manual Nonce Verification\n\nWhen plugins use custom handlers (e.g., via `admin_post_`), developers must manually implement nonce verification:\n\n*   **Generation**: The nonce is generated in the form using `wp_nonce_field('my_action_string', 'nonce_field_name')`.\n*   **Verification**: The handler function must use `check_admin_referer('my_action_string', 'nonce_field_name')` or `wp_verify_nonce()` before any processing occurs.\n\n```php\nadd_action('admin_post_update_my_plugin_settings', 'my_plugin_handle_save');\n\nfunction my_plugin_handle_save() {\n    \u002F\u002F 1. Verify Nonce (Prevents CSRF)\n    if (!isset($_POST['nonce_field_name']) || !wp_verify_nonce($_POST['nonce_field_name'], 'my_action_string')) {\n        wp_die('Security check failed');\n    }\n\n    \u002F\u002F 2. Check Capabilities (Prevents Broken Access Control)\n    if (!current_user_can('manage_options')) {\n        wp_die('Unauthorized');\n    }\n\n    \u002F\u002F 3. Process and Sanitize Input\n    if (isset($_POST['setting_name'])) {\n        update_option('my_plugin_option', sanitize_text_field($_POST['setting_name']));\n    }\n    \n    wp_redirect(admin_url('admin.php?page=my-plugin-settings&status=success'));\n    exit;\n}\n```\n\nFor further information on securing WordPress plugins, I recommend consulting the [WordPress Plugin Handbook](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Top Ten project](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F) for general web security principles.","The MetaMagic SEO Plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 1.6. This is due to a lack of nonce validation in the metamagic_update_options function, allowing attackers to modify plugin settings by tricking an administrator into performing an action like clicking a link.","The exploit involves crafting a Cross-Site Request Forgery (CSRF) attack to update the plugin's settings. An attacker would create a malicious HTML page or link that, when visited by an authenticated administrator, sends a POST request to the WordPress admin dashboard. This request targets the metamagic_update_options function with parameters designed to modify SEO settings, such as enabling or disabling meta description and keyword tags. Because the plugin does not verify a security nonce, the request is processed as if the administrator intended to make those changes.","gemini-3-flash-preview","2026-06-04 18:29:18","2026-06-04 18:29:56",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmetamagic\u002Ftags"]