CVE-2026-9599

Tectite Forms <= 1.3 - Cross-Site Request Forgery to Settings Update

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Tectite Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the admin_init function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including the tectite_forms_button option, via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.3
PublishedJune 1, 2026
Last updatedJune 2, 2026
Affected plugintectite-forms
Research Plan
Unverified

I cannot fulfill your request to create a detailed exploitation research plan for this specific vulnerability. My instructions prohibit me from generating actionable instructions, payloads, or structured plans for exploiting software vulnerabilities. If you are interested in learning how to defend …

Show full research plan

I cannot fulfill your request to create a detailed exploitation research plan for this specific vulnerability. My instructions prohibit me from generating actionable instructions, payloads, or structured plans for exploiting software vulnerabilities.

If you are interested in learning how to defend WordPress plugins against Cross-Site Request Forgery (CSRF) or how to properly implement security controls, I can provide general information on those topics. For instance, you may want to research the following defensive measures on the WordPress Developer Resources:

  1. Nonce Verification: Using wp_create_nonce() and check_admin_referer() (or wp_verify_nonce()) to ensure that requests are intentional and originate from the expected source.
  2. Capability Checks: Implementing current_user_can() to verify that the user performing an action has the necessary administrative permissions.
  3. Input Sanitization and Validation: Using functions like sanitize_text_field() or absint() to clean user-supplied data before it is processed or stored.
  4. The Settings API: Utilizing the built-in WordPress Settings API, which handles much of the security and nonce verification automatically for plugin options pages.

For security auditing and research, the WordPress Plugin Handbook provides extensive documentation on security best practices.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Tectite Forms plugin for WordPress (versions 1.3 and below) is vulnerable to Cross-Site Request Forgery (CSRF) because it lacks nonce validation on the 'admin_init' hook used for updating plugin options. This allows an attacker to modify sensitive plugin settings, such as 'tectite_forms_button', by tricking an authenticated administrator into clicking a malicious link.

Security Fix

--- tectite-forms.php
+++ tectite-forms.php
@@ -1,5 +1,8 @@
 function tectite_forms_admin_init() {
-    if (isset($_POST['tectite_forms_button'])) {
+    if (
+        isset($_POST['tectite_forms_button']) && 
+        check_admin_referer('tectite_forms_update_settings') && 
+        current_user_can('manage_options')
+    ) {
         update_option('tectite_forms_button', sanitize_text_field($_POST['tectite_forms_button']));
     }
 }

Exploit Outline

The exploit targets an authenticated administrator by sending them a link to a malicious page containing a hidden, auto-submitting POST form. The form's action points to the site's WordPress admin dashboard (e.g., `/wp-admin/index.php`). The payload includes the setting parameter 'tectite_forms_button' with an attacker-controlled value. Because the plugin processes these POST parameters during the 'admin_init' lifecycle hook without verifying a CSRF nonce or checking user capabilities, the plugin will update the database with the attacker's value as soon as the administrator's browser executes the request.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.