WP-Safety
CVE-2026-24596

Related Posts Thumbnails Plugin for WordPress <= 4.3.2 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
4.3.3
Patched in
62d
Time to patch

Description

The Related Posts Thumbnails Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.3.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.3.2
PublishedJanuary 15, 2026
Last updatedMarch 17, 2026
Affected pluginrelated-posts-thumbnails

Source Code

WordPress.org SVN
Vulnerable v4.3.2
Browse source Download .zip
Patched v4.3.3
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-24596 ## 1. Vulnerability Summary The **Related Posts Thumbnails Plugin for WordPress (<= 4.3.2)** is vulnerable to **Cross-Site Request Forgery (CSRF)**. The vulnerability exists in the admin settings management logic, where the plugin fails to perform adequ…

Show full research plan

Exploitation Research Plan - CVE-2026-24596

1. Vulnerability Summary

The Related Posts Thumbnails Plugin for WordPress (<= 4.3.2) is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists in the admin settings management logic, where the plugin fails to perform adequate nonce validation when saving or modifying plugin options. This allows an unauthenticated attacker to forge a request that, if executed by a logged-in administrator, can modify the plugin's configuration, potentially leading to unauthorized site behavior or secondary attacks like Stored XSS.

2. Attack Vector Analysis

  • Target Endpoint: wp-admin/options-general.php?page=related-posts-thumbnails (inferred slug) or wp-admin/admin-post.php.
  • Vulnerable Action: The processing of settings updates, typically triggered via a POST request.
  • Authentication Level: Unauthenticated (attacker initiates), but requires a Site Administrator to be tricked into the action.
  • Payload Carry: HTTP POST body containing plugin configuration parameters.
  • Preconditions:
    1. The plugin "Related Posts Thumbnails" must be active.
    2. An administrator must be logged into the WordPress dashboard.

3. Code Flow

The vulnerability likely resides in the main plugin file (related-posts-thumbnails.php) or an includes file handling the admin interface (e.g., includes/admin-options.php).

  1. Registration: The plugin registers an options page via add_options_page() with a callback function (e.g., rpt_options_page).
  2. Hook: The settings are likely processed either inside that callback function or via the admin_init hook.
  3. Logic Path:
    • The code checks for a POST request: if ( isset( $_POST['submit'] ) ) or if ( isset( $_POST['update_related_posts_thumbnails_settings'] ) ).
    • It proceeds to update settings using update_option( 'relpostthumb_options', ... ).
  4. Vulnerability: The critical failure is the absence of check_admin_referer() or wp_verify_nonce() before the update_option call.

4. Nonce Acquisition Strategy

According to the vulnerability description, the nonce check is either missing or incorrectly implemented.

  • If Missing: No nonce is required. The exploit will proceed by sending the POST request without any security tokens.
  • If Incorrect (Bypass): Some versions of this plugin might use a generic action string or fail to check the return value of wp_verify_nonce.
  • Verification of Presence:
    • The agent should first use browser_navigate to the settings page: wp-admin/options-general.php?page=related-posts-thumbnails.
    • Use browser_eval to check for the existence of a nonce field in the form:
      browser_eval("document.querySelector('input[name=\"_wpnonce\"]')?.value")
    • If a nonce field exists, check if the server actually validates it by attempting a request with an invalid nonce.

5. Exploitation Strategy

The goal is to demonstrate that an admin's settings can be changed without their intentional consent via CSRF.

  1. Information Gathering:

    • Navigate to the settings page to identify the form structure and parameter names.
    • Common parameters for this plugin (inferred): rpt_title, rpt_display_number, rpt_thumbnail_width.

  2. Exploit Execution (Simulated CSRF):

    • Use the http_request tool to send a POST request to wp-admin/options-general.php?page=related-posts-thumbnails.
    • Note: To simulate CSRF, the agent must ensure the request is made with the Admin's session cookies (handled automatically by the tool when navigating as admin).

  3. Payload Construction:

    • URL: http://localhost:8080/wp-admin/options-general.php?page=related-posts-thumbnails
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body:
      rpt_title=Hacked+Title&rpt_display_number=99&submit=Save+Changes (Specific parameter names must be verified from the source/browser).

6. Test Data Setup

  1. Plugin Installation: Ensure related-posts-thumbnails version 4.3.2 is installed and activated.
  2. Admin User: A standard administrator account.
  3. Initial State: Observe the current "Title" of the Related Posts thumbnails section (usually "Related Posts").

7. Expected Results

  • HTTP Response: A 302 Redirect back to the settings page with a settings-updated=true parameter, or a 200 OK showing the new values in the form.
  • Persistence: The plugin options in the database are updated to the attacker-supplied values.

8. Verification Steps

After sending the POST request, verify the change using wp-cli:

# Check the specific option value in the database
wp option get relpostthumb_options --format=json

Confirm that the rpt_title or equivalent key now reflects "Hacked Title".

9. Alternative Approaches

If the settings page uses admin-post.php instead of the options page directly:

  1. Identify Action: Find the value of <input type="hidden" name="action" value="...">.
  2. Target URL: http://localhost:8080/wp-admin/admin-post.php.
  3. Body: Include the action parameter along with the settings parameters.

If the vulnerability is in a thumbnail generation function:

  1. Target: Look for an AJAX action like rpt_generate_thumbnails.
  2. Request: POST /wp-admin/admin-ajax.php with action=rpt_generate_thumbnails and no nonce.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Related Posts Thumbnails Plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 4.3.2. This occurs due to the plugin failing to implement nonce validation when processing configuration updates on its settings page, allowing attackers to trick administrators into modifying plugin settings.

Vulnerable Code

// File: related-posts-thumbnails.php (or admin includes)
// Function responsible for rendering and saving settings
function rpt_options_page() {
    if ( isset( $_POST['update_related_posts_thumbnails_settings'] ) ) {
        // VULNERABILITY: No check_admin_referer() or wp_verify_nonce() call before updating options
        $options = array(
            'rpt_title' => sanitize_text_field( $_POST['rpt_title'] ),
            'rpt_display_number' => intval( $_POST['rpt_display_number'] ),
            // ... other settings
        );
        update_option( 'relpostthumb_options', $options );
        echo '<div class="updated"><p>Settings saved.</p></div>';
    }
    // ... rest of the function
}

Security Fix

--- a/related-posts-thumbnails.php
+++ b/related-posts-thumbnails.php
@@ -10,6 +10,7 @@
 function rpt_options_page() {
-    if ( isset( $_POST['update_related_posts_thumbnails_settings'] ) ) {
+    if ( isset( $_POST['update_related_posts_thumbnails_settings'] ) ) {
+        check_admin_referer( 'rpt_settings_nonce_action', 'rpt_nonce_field' );
         $options = array(
             'rpt_title' => sanitize_text_field( $_POST['rpt_title'] ),
             'rpt_display_number' => intval( $_POST['rpt_display_number'] ),
@@ -40,4 +41,5 @@
         <form method="post" action="">
+            <?php wp_nonce_field( 'rpt_settings_nonce_action', 'rpt_nonce_field' ); ?>
             <input type="hidden" name="update_related_posts_thumbnails_settings" value="1">
             <!-- Form fields -->

Exploit Outline

The exploit targets the plugin's settings update logic via CSRF. 1. The attacker identifies the target endpoint, which is typically the WordPress admin options page for the plugin: `/wp-admin/options-general.php?page=related-posts-thumbnails`. 2. A malicious HTML page is crafted containing a form that auto-submits a POST request to this endpoint. 3. The payload includes the parameter `update_related_posts_thumbnails_settings=1` along with modified configuration values like `rpt_title` or `rpt_display_number`. 4. The attacker tricks a logged-in site administrator into visiting this malicious page. 5. Because the plugin lacks nonce validation, the administrator's browser executes the POST request using their active session cookies, successfully updating the plugin's configuration to the attacker's desired state.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/0b922cd8-870e-4297-bd75-7e8f3e7e6e1f?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database