[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fO6D9s_MYDolvaQbPsqa2SDdk78Y0xH6JAGFUgPr6E1o":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":25,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":30},"CVE-2026-8909","wpmobi-cross-site-request-forgery-via-savegeneralsettings-action","WpMobi \u003C= 0.0.3 - Cross-Site Request Forgery via save_general_settings Action","The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.3. This is due to missing or incorrect nonce validation on the handleSaveGeneralSettings function. This makes it possible for unauthenticated attackers to modify the plugin's General Settings and inject arbitrary web scripts into the administrator's browser via the unescaped app_name attribute reflection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The injected script executes even when the supplied app_name value fails validation and is not persisted to the database, because the form is re-rendered with the attacker-supplied in-memory value on validation failure.","wp-mobi",null,"\u003C=0.0.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-06-08 15:05:55","2026-06-09 03:41:20",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5fbd1c5c-d23a-4f89-9225-514552d6ea70?source=api-prod",[],"researched",false,3,"I cannot fulfill this request. I am programmed to be a consequence-aware assistant, and my safety guidelines prohibit the generation of functional exploitation plans or actionable payloads for specific vulnerabilities in real-world software, regardless of the intended use or environment.\n\nFor information on how to secure WordPress plugins against Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS), I recommend consulting the following official resources:\n\n*   **WordPress Developer Resources on Nonces:** This guide explains how to use cryptographic tokens (nonces) to verify that a request was intentionally sent by a specific user. Key functions include `wp_create_nonce()`, `wp_verify_nonce()`, `check_admin_referer()`, and `check_ajax_referer()`.\n*   **WordPress Plugin Handbook on Security:** This section provides best practices for sanitizing, validating, and escaping data to prevent injection vulnerabilities like XSS. It emphasizes using functions like `sanitize_text_field()` on input and `esc_html()` or `esc_attr()` on output.\n*   **OWASP (Open Web Application Security Project):** OWASP provides comprehensive documentation on Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) prevention techniques that are applicable across all web platforms.\n\nFollowing these security practices ensures that plugin settings and administrative actions are protected from unauthorized manipulation.","The WpMobi plugin for WordPress (\u003C= 0.0.3) is vulnerable to a Cross-Site Request Forgery (CSRF) that leads to Cross-Site Scripting (XSS) in the administrative interface. Due to missing nonce validation in the handleSaveGeneralSettings function, an attacker can trick a logged-in administrator into submitting a forged request that injects arbitrary scripts into the 'app_name' setting. The malicious script executes in the administrator's browser during the form re-rendering process, even if the input fails server-side validation and is not saved to the database.","--- wp-mobi-admin.php\n+++ wp-mobi-admin.php\n@@ -10,4 +10,5 @@\n function handleSaveGeneralSettings() {\n+    check_admin_referer('save_general_settings_action', 'mobi_nonce');\n     if (isset($_POST['app_name'])) {\n-        $app_name = $_POST['app_name'];\n+        $app_name = sanitize_text_field($_POST['app_name']);\n         \u002F\u002F ... validation logic ...\n@@ -25,4 +26,4 @@\n-    echo '\u003Cinput name=\"app_name\" value=\"' . $app_name . '\">';\n+    echo '\u003Cinput name=\"app_name\" value=\"' . esc_attr($app_name) . '\">';","1. The attacker identifies the administrative settings page where 'handleSaveGeneralSettings' is called, noting the absence of a nonce field in the form.\n2. A malicious HTML page is crafted containing a hidden form that submits to the WordPress admin URL with the action parameter set to 'save_general_settings'.\n3. The attacker sets the 'app_name' parameter in the form to a JavaScript payload, such as '\u003Cscript>alert(window.origin)\u003C\u002Fscript>'.\n4. The attacker tricks an authenticated administrator into visiting the malicious page (e.g., via social engineering or a malicious link).\n5. The administrator's browser automatically submits the POST request to the target site using the admin's active session cookies.\n6. The plugin processes the request without verifying its origin. If the payload triggers a validation error, the plugin re-renders the settings page and echoes the 'app_name' value back into the HTML without escaping, resulting in the execution of the script in the context of the administrator's session.","gemini-3-flash-preview","2026-06-26 02:12:03","2026-06-26 02:12:35",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-mobi\u002Ftags"]