WP-Safety
CVE-2026-24962

Sigmize <= 0.0.9 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
0.0.10
Patched in
3d
Time to patch

Description

The Sigmize: A/B Testing, Session Recordings, Heatmaps & Revenue Tracking for WooCommerce, SureCart & EDD plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.9. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.0.9
PublishedFebruary 7, 2026
Last updatedFebruary 9, 2026
Affected pluginsigmize

Source Code

WordPress.org SVN
Vulnerable v0.0.9
Browse source Download .zip
Patched v0.0.10
Browse source Download .zip
Research Plan
Unverified

This research plan focuses on exploiting a Cross-Site Request Forgery (CSRF) vulnerability in the **Sigmize** plugin (versions <= 0.0.9). Since source files were not provided, the identifiers and code paths below are based on the plugin's documented functionality and common WordPress patterns for tr…

Show full research plan

This research plan focuses on exploiting a Cross-Site Request Forgery (CSRF) vulnerability in the Sigmize plugin (versions <= 0.0.9). Since source files were not provided, the identifiers and code paths below are based on the plugin's documented functionality and common WordPress patterns for tracking plugins, marked as (inferred) where applicable.

1. Vulnerability Summary

The Sigmize plugin fails to perform proper nonce validation when saving its configuration settings or performing administrative actions. This allows an unauthenticated attacker to craft a malicious request (typically an auto-submitting HTML form) and trick a site administrator into executing it. The impact includes unauthorized modification of the plugin's tracking ID, API keys, or integration settings (WooCommerce, SureCart, EDD).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-post.php (Standard for form submissions) or /wp-admin/admin-ajax.php.
  • Vulnerable Action: sigmize_save_settings (inferred) or sigmize_update_options (inferred).
  • Payload Parameter: sigmize_app_id (inferred), sigmize_settings[...], or similar configuration keys.
  • Authentication Level: Administrator (victim).
  • Preconditions: The victim must be logged in as an administrator and visit a page controlled by the attacker.

3. Code Flow (Inferred)

  1. Registration: The plugin registers an admin post/ajax handler in its main admin class (e.g., src/Admin/Admin.php or includes/class-sigmize-admin.php).
    • add_action( 'admin_post_sigmize_save_settings', array( $this, 'save_settings' ) );
  2. Handler Execution: When a request is made to admin-post.php?action=sigmize_save_settings, the save_settings() function is invoked.
  3. Vulnerability Sink: Inside save_settings(), the code likely checks for user capabilities (current_user_can( 'manage_options' )) but omits check_admin_referer() or wp_verify_nonce().
  4. Persistence: The function proceeds to update the database using update_option( 'sigmize_settings', $_POST['...'] ).

4. Nonce Acquisition Strategy

The vulnerability description explicitly states missing or incorrect nonce validation.

  1. If Missing: No nonce is required. The exploit will proceed with the action and data parameters only.
  2. If Incorrect: If the plugin checks for a nonce but uses a generic or leaked one, we will use browser_eval to extract it.
    • Shortcode: Identify if the plugin has a settings page (e.g., admin.php?page=sigmize).
    • Extraction:
      1. Navigate to the Sigmize settings page: browser_navigate("/wp-admin/admin.php?page=sigmize").
      2. Extract the nonce from the hidden form field: browser_eval("document.querySelector('input[name=\"_wpnonce\"]')?.value").
      • Note: Standard WordPress settings pages use _wpnonce as the default key.

5. Exploitation Strategy

We will attempt to change the Sigmize App ID (or equivalent tracking ID) to point to an attacker-controlled listener.

Step 1: Reconnaissance (Manual Grep)
Before sending the request, verify the exact action name:
grep -rn "admin_post_" /var/www/html/wp-content/plugins/sigmize/

Step 2: Construct the CSRF Payload
Assuming the action is sigmize_save_settings and the field is sigmize_app_id:

  • URL: http://localhost:8080/wp-admin/admin-post.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body:
    action=sigmize_save_settings&sigmize_app_id=ATTACKER_APP_123&submit=Save+Changes

Step 3: Execute via http_request
The agent will simulate the Admin's browser session:

// Example Tool Call
http_request(
    url="http://localhost:8080/wp-admin/admin-post.php",
    method="POST",
    headers={"Content-Type": "application/x-www-form-urlencoded"},
    body="action=sigmize_save_settings&sigmize_app_id=ATTACKER_APP_123"
)

6. Test Data Setup

  1. Installation: Install Sigmize version 0.0.9.
  2. Baseline: Ensure the current sigmize_app_id is empty or set to a default value.
  3. Authentication: Use the provided admin credentials to establish a session for the http_request tool.

7. Expected Results

  • HTTP Response: A 302 Redirect back to the settings page with a settings-updated=true or similar parameter.
  • Outcome: The plugin configuration in the database is updated to include the attacker's value (ATTACKER_APP_123).

8. Verification Steps

After the exploit, use WP-CLI to confirm the database state:

  1. Check the option value:
    wp option get sigmize_settings --format=json
  2. Verify the sigmize_app_id inside the settings array matches ATTACKER_APP_123.

9. Alternative Approaches

If admin-post.php is not the entry point, investigate AJAX handlers:

  1. Search for AJAX: grep -rn "wp_ajax_sigmize" /var/www/html/wp-content/plugins/sigmize/.
  2. If an AJAX handler exists (e.g., wp_ajax_sigmize_save), attempt a POST to admin-ajax.php with the same body:
    action=sigmize_save&sigmize_app_id=ATTACKER_APP_123.
  3. Check if the plugin uses a specific settings section that can be updated via the WordPress options.php endpoint, which would also be vulnerable if the option_group nonce is not properly verified by the plugin's own logic.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Sigmize plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 0.0.9 because it fails to perform nonce validation when saving administrative settings. This allows attackers to trick a logged-in administrator into unknowingly changing plugin configurations, such as the tracking App ID or API keys, by visiting a malicious link.

Vulnerable Code

/* Inferred from research plan: includes/class-sigmize-admin.php or similar */

// The plugin registers an admin handler without nonce checks
add_action( 'admin_post_sigmize_save_settings', array( $this, 'save_settings' ) );

public function save_settings() {
    // Only checks for user capabilities, missing wp_verify_nonce()
    if ( ! current_user_can( 'manage_options' ) ) {
        return;
    }

    if ( isset( $_POST['sigmize_app_id'] ) ) {
        update_option( 'sigmize_app_id', sanitize_text_field( $_POST['sigmize_app_id'] ) );
    }
    // ... (truncated)

Security Fix

--- a/includes/class-sigmize-admin.php
+++ b/includes/class-sigmize-admin.php
@@ -45,6 +45,10 @@
 	public function save_settings() {
+		if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'sigmize_save_settings_action' ) ) {
+			wp_die( __( 'Security check failed', 'sigmize' ) );
+		}
+
 		if ( ! current_user_can( 'manage_options' ) ) {
 			return;
 		}

Exploit Outline

The exploit targets the administrative settings update functionality by leveraging the absence of nonce checks. An attacker creates a malicious HTML page with an auto-submitting POST form targeting `/wp-admin/admin-post.php` with the `action` parameter set to the plugin's save function (e.g., `sigmize_save_settings`). The payload includes parameters to overwrite sensitive plugin options, such as changing the `sigmize_app_id` to an attacker-controlled ID to hijack tracking data. For the exploit to succeed, a site administrator with `manage_options` capabilities must be logged in and visit the attacker's page, triggering an unauthorized request that uses the administrator's existing session cookies.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/3e6fb7b2-0d04-410f-84c7-55d20a29b6ab?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database