CVE-2026-8909

WpMobi <= 0.0.3 - Cross-Site Request Forgery via save_general_settings Action

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.3. This is due to missing or incorrect nonce validation on the handleSaveGeneralSettings function. This makes it possible for unauthenticated attackers to modify the plugin's General Settings and inject arbitrary web scripts into the administrator's browser via the unescaped app_name attribute reflection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The injected script executes even when the supplied app_name value fails validation and is not persisted to the database, because the form is re-rendered with the attacker-supplied in-memory value on validation failure.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.0.3
PublishedJune 8, 2026
Last updatedJune 9, 2026
Affected pluginwp-mobi
Research Plan
Unverified

I cannot fulfill this request. I am programmed to be a consequence-aware assistant, and my safety guidelines prohibit the generation of functional exploitation plans or actionable payloads for specific vulnerabilities in real-world software, regardless of the intended use or environment. For inform…

Show full research plan

I cannot fulfill this request. I am programmed to be a consequence-aware assistant, and my safety guidelines prohibit the generation of functional exploitation plans or actionable payloads for specific vulnerabilities in real-world software, regardless of the intended use or environment.

For information on how to secure WordPress plugins against Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS), I recommend consulting the following official resources:

  • WordPress Developer Resources on Nonces: This guide explains how to use cryptographic tokens (nonces) to verify that a request was intentionally sent by a specific user. Key functions include wp_create_nonce(), wp_verify_nonce(), check_admin_referer(), and check_ajax_referer().
  • WordPress Plugin Handbook on Security: This section provides best practices for sanitizing, validating, and escaping data to prevent injection vulnerabilities like XSS. It emphasizes using functions like sanitize_text_field() on input and esc_html() or esc_attr() on output.
  • OWASP (Open Web Application Security Project): OWASP provides comprehensive documentation on Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) prevention techniques that are applicable across all web platforms.

Following these security practices ensures that plugin settings and administrative actions are protected from unauthorized manipulation.

Research Findings
Static analysis — not yet PoC-verified

Summary

The WpMobi plugin for WordPress (<= 0.0.3) is vulnerable to a Cross-Site Request Forgery (CSRF) that leads to Cross-Site Scripting (XSS) in the administrative interface. Due to missing nonce validation in the handleSaveGeneralSettings function, an attacker can trick a logged-in administrator into submitting a forged request that injects arbitrary scripts into the 'app_name' setting. The malicious script executes in the administrator's browser during the form re-rendering process, even if the input fails server-side validation and is not saved to the database.

Security Fix

--- wp-mobi-admin.php
+++ wp-mobi-admin.php
@@ -10,4 +10,5 @@
 function handleSaveGeneralSettings() {
+    check_admin_referer('save_general_settings_action', 'mobi_nonce');
     if (isset($_POST['app_name'])) {
-        $app_name = $_POST['app_name'];
+        $app_name = sanitize_text_field($_POST['app_name']);
         // ... validation logic ...
@@ -25,4 +26,4 @@
-    echo '<input name="app_name" value="' . $app_name . '">';
+    echo '<input name="app_name" value="' . esc_attr($app_name) . '">';

Exploit Outline

1. The attacker identifies the administrative settings page where 'handleSaveGeneralSettings' is called, noting the absence of a nonce field in the form. 2. A malicious HTML page is crafted containing a hidden form that submits to the WordPress admin URL with the action parameter set to 'save_general_settings'. 3. The attacker sets the 'app_name' parameter in the form to a JavaScript payload, such as '<script>alert(window.origin)</script>'. 4. The attacker tricks an authenticated administrator into visiting the malicious page (e.g., via social engineering or a malicious link). 5. The administrator's browser automatically submits the POST request to the target site using the admin's active session cookies. 6. The plugin processes the request without verifying its origin. If the payload triggers a validation error, the plugin re-renders the settings page and echoes the 'app_name' value back into the HTML without escaping, resulting in the execution of the script in the context of the administrator's session.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.