Platform
wordpress
Component
the-guardian-news-feed
Fixed in
1.2.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in The Guardian News Feed plugin for WordPress, affecting versions from 0.0.0 through 1.2. This flaw allows unauthenticated attackers to manipulate the plugin's settings, potentially compromising sensitive information like the Guardian API key. The vulnerability stems from a lack of nonce validation during settings updates, enabling forged requests to be executed if an administrator is tricked into performing an action. A fix is available.
Successful exploitation of this CSRF vulnerability allows an attacker to modify the plugin's configuration without authentication. The most critical impact is the potential for an attacker to replace the Guardian API key, effectively hijacking the plugin's functionality and potentially gaining unauthorized access to data. This could lead to data breaches, manipulation of content displayed on the website, or even complete control over the plugin's behavior. The attacker would need to craft a malicious request and trick a site administrator into clicking a link or visiting a page containing the forged request. This is a common attack vector, and while requiring user interaction, the potential impact is significant.
This vulnerability was publicly disclosed on 2026-03-07. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. While the CVSS score indicates a medium severity, the requirement for user interaction limits the immediate exploitation probability.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade The Guardian News Feed plugin to a version containing the fix. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the plugin's settings update endpoint. Specifically, look for requests lacking proper nonce validation. Additionally, restrict access to the plugin's settings page to authorized administrators only. Regularly review plugin settings for any unauthorized modifications. After upgrade, confirm by attempting a settings update as an unauthenticated user and verifying that the request is rejected.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1087 is a Cross-Site Request Forgery (CSRF) vulnerability affecting The Guardian News Feed WordPress plugin versions 0.0.0–1.2, allowing attackers to modify plugin settings.
You are affected if you are using The Guardian News Feed plugin in versions 0.0.0 through 1.2. Upgrade to a patched version to resolve the vulnerability.
Upgrade The Guardian News Feed plugin to the latest available version. If upgrading is not immediately possible, implement a WAF rule to block suspicious requests.
There are currently no known active exploits for CVE-2026-1087, but the vulnerability remains a risk until patched.
Refer to the WordPress plugin repository for updates and advisories related to The Guardian News Feed plugin: [https://wordpress.org/plugins/the-guardian-news-feed/]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.