CVE-2026-8940

WP Meta Sort Posts <= 0.9 - Cross-Site Request Forgery to Plugin Settings Update

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the top-level included script in msp-options.php. This makes it possible for unauthenticated attackers to change the plugin's msp_loop_file and msp_nav_location settings via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.9
PublishedJune 8, 2026
Last updatedJune 9, 2026
Affected pluginwp-meta-sort-posts
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-8940 (WP Meta Sort Posts) ## 1. Vulnerability Summary The **WP Meta Sort Posts** plugin (version <= 0.9) contains a Cross-Site Request Forgery (CSRF) vulnerability in its settings management logic. The plugin handles the update of its configuration settings—sp…

Show full research plan

Exploitation Research Plan: CVE-2026-8940 (WP Meta Sort Posts)

1. Vulnerability Summary

The WP Meta Sort Posts plugin (version <= 0.9) contains a Cross-Site Request Forgery (CSRF) vulnerability in its settings management logic. The plugin handles the update of its configuration settings—specifically msp_loop_file and msp_nav_location—within the msp-options.php file. This file is included when the plugin's administration page is accessed. Because the code responsible for processing the update request does not implement WordPress nonce validation, an unauthenticated attacker can forge a request that, if executed by a logged-in administrator, will modify the plugin's settings.

2. Attack Vector Analysis

  • Target Endpoint: /wp-admin/options-general.php?page=wp-meta-sort-posts (or the specific slug assigned to the plugin's settings menu).
  • Vulnerable Action: A POST request to the settings page URL.
  • Payload Parameters:
    • msp_loop_file: The value to be set for the loop file option.
    • msp_nav_location: The value to be set for the navigation location option.
    • msp_submit (or similar submit button identifier, inferred): Likely used to trigger the update logic.
  • Authentication Level: CSRF requires the victim to be a logged-in Administrator.
  • Preconditions: The attacker must trick an administrator into clicking a malicious link or visiting a site containing a cross-origin auto-submitting form.

3. Code Flow (Inferred)

  1. The main plugin file (wp-meta-sort-posts.php) uses add_options_page() to register a settings page.
  2. The callback for this page includes the file msp-options.php.
  3. At the top of msp-options.php, the code checks if the form has been submitted (e.g., if ( isset($_POST['msp_submit']) )).
  4. The script proceeds to call update_option( 'msp_loop_file', $_POST['msp_loop_file'] ) and update_option( 'msp_nav_location', $_POST['msp_nav_location'] ).
  5. Vulnerability Sink: There is no call to check_admin_referer() or wp_verify_nonce() before these update_option calls.

4. Nonce Acquisition Strategy

According to the vulnerability description, there is missing nonce validation. In a standard CSRF scenario involving missing validation:

  • No nonce is required to execute the attack.
  • The attacker does not need to extract any tokens from the site.
  • The http_request tool should be used to send a POST request without any _wpnonce or security parameter.

5. Exploitation Strategy

The goal is to demonstrate that an unauthenticated request can change the plugin settings by masquerading as an administrator.

  1. Preparation: Identify the exact URL of the settings page. Based on the plugin slug wp-meta-sort-posts, it is typically found at admin.php?page=wp-meta-sort-posts or options-general.php?page=wp-meta-sort-posts.
  2. Request Construction: Use the http_request tool to perform a POST request.
  3. Payload:
    POST /wp-admin/options-general.php?page=wp-meta-sort-posts HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    
    msp_loop_file=pwned_loop.php&msp_nav_location=pwned_nav&msp_submit=Update+Options
    
  4. Simulation: The automated agent will act as the "attacker" sending the request, while the session context provided to http_request (if simulating an admin) will prove that the lack of a nonce allows the state-changing operation to succeed.

6. Test Data Setup

  1. Plugin Installation: Ensure wp-meta-sort-posts version 0.9 is installed and activated.
  2. Admin User: Ensure a standard administrator user exists.
  3. Initial State: Verify the default values for the options:
    • wp option get msp_loop_file
    • wp option get msp_nav_location

7. Expected Results

  • The server should return a 302 Redirect (standard WordPress settings save behavior) or a 200 OK showing the settings page with updated values.
  • The database options msp_loop_file and msp_nav_location should reflect the values sent in the malicious POST request.

8. Verification Steps

After sending the http_request, use WP-CLI to confirm the change in the database:

# Check if the msp_loop_file was updated
wp option get msp_loop_file

# Check if the msp_nav_location was updated
wp option get msp_nav_location

The output should match the strings provided in the exploit payload (e.g., pwned_loop.php).

9. Alternative Approaches

If the plugin uses a different entry point for saving settings:

  • Check for AJAX: Search for wp_ajax_ hooks in the source code using grep -r "wp_ajax_" .. If an AJAX handler exists for saving settings, target wp-admin/admin-ajax.php with the appropriate action parameter.
  • Check for admin-post: Search for admin_post_ hooks. If found, target wp-admin/admin-post.php.
  • Form Field Discovery: If the parameter names msp_loop_file or msp_nav_location are slightly different, use browser_navigate to view the settings page and browser_eval to inspect the form input names: browser_eval("Array.from(document.querySelectorAll('input')).map(i => i.name)").
Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 0.9. This is due to missing nonce validation in the plugin's settings update logic in msp-options.php, allowing unauthenticated attackers to modify plugin configurations by tricking an administrator into submitting a forged request.

Vulnerable Code

/* wp-meta-sort-posts/msp-options.php */

if ( isset($_POST['msp_submit']) ) {
    update_option( 'msp_loop_file', $_POST['msp_loop_file'] );
    update_option( 'msp_nav_location', $_POST['msp_nav_location'] );
}

Security Fix

--- wp-meta-sort-posts/msp-options.php
+++ wp-meta-sort-posts/msp-options.php
@@ -1,5 +1,6 @@
 <?php
 if ( isset($_POST['msp_submit']) ) {
+    check_admin_referer( 'msp_save_settings', 'msp_nonce' );
     update_option( 'msp_loop_file', $_POST['msp_loop_file'] );
     update_option( 'msp_nav_location', $_POST['msp_nav_location'] );
 }

Exploit Outline

The exploit targets the plugin's settings page, typically found at /wp-admin/options-general.php?page=wp-meta-sort-posts. An attacker constructs a malicious page or link that, when visited by a logged-in administrator, triggers a cross-origin POST request. This request includes parameters for 'msp_loop_file' and 'msp_nav_location' along with a submit trigger. Because the plugin lacks nonce validation, the request successfully updates the plugin settings with the attacker-controlled values.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.