Platform
wordpress
Component
set-bulk-post-categories
Fixed in
1.1.1
CVE-2026-1081 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Set Bulk Post Categories plugin for WordPress. This flaw allows unauthenticated attackers to manipulate post categories in bulk if they can trick a site administrator into clicking a malicious link. The vulnerability affects versions 0.0.0 through 1.1, and a patch is available.
The primary impact of this vulnerability is unauthorized modification of post categories within a WordPress site. An attacker could leverage this to alter the categorization of important content, potentially disrupting site navigation, SEO rankings, or even injecting malicious content. While requiring user interaction (tricking an administrator), the potential for widespread impact on a WordPress site's content integrity is significant. This vulnerability is similar to other CSRF flaws where an attacker can perform actions on behalf of an authenticated user without their knowledge.
CVE-2026-1081 was publicly disclosed on 2026-01-24. No public proof-of-concept (PoC) code has been identified at the time of writing. The EPSS score is pending evaluation. It is currently not listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade the Set Bulk Post Categories plugin to a version that addresses this vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests lacking proper CSRF tokens for the bulk category update endpoint. Additionally, educate administrators about the risks of clicking on suspicious links and verify the authenticity of any requests before confirming them. After upgrading, confirm the fix by attempting a bulk category update as a non-authenticated user and verifying that the action is denied.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1081 is a Cross-Site Request Forgery (CSRF) vulnerability in the Set Bulk Post Categories WordPress plugin, allowing attackers to modify post categories via forged requests.
If you are using the Set Bulk Post Categories plugin in versions 0.0.0–1.1, you are potentially affected by this vulnerability.
Upgrade the Set Bulk Post Categories plugin to a patched version. As a temporary workaround, implement a WAF rule to block requests lacking proper CSRF tokens.
As of the current date, there are no confirmed reports of active exploitation of CVE-2026-1081.
Refer to the plugin developer's website or WordPress.org plugin repository for updates and advisories related to CVE-2026-1081.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.