Platform
wordpress
Component
friendly-functions-for-welcart
Fixed in
1.2.6
CVE-2026-1208 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Friendly Functions for Welcart plugin for WordPress. This flaw allows unauthenticated attackers to potentially modify plugin settings if they can trick a site administrator into performing an action. The vulnerability impacts versions 0.0.0 through 1.2.5, and a patch is available in version 1.2.6.
An attacker can exploit this CSRF vulnerability by crafting a malicious request that, when triggered by a site administrator, modifies the plugin's settings. This could lead to unauthorized changes in plugin behavior, potentially impacting e-commerce functionality or exposing sensitive data. The attacker would need to lure the administrator to click a crafted link or visit a malicious webpage. Successful exploitation could compromise the integrity of the Welcart store and its associated data.
This vulnerability was publicly disclosed on 2026-01-24. No known public exploits or active campaigns targeting this specific vulnerability have been reported as of this writing. It is not currently listed on the CISA KEV catalog. The ease of exploitation is moderate, relying on social engineering to trick administrators.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1208 is to immediately upgrade the Friendly Functions for Welcart plugin to version 1.2.6 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests targeting the plugin's settings page. Additionally, enforce strict user access controls and educate administrators about the risks of clicking on untrusted links. After upgrading, confirm the fix by attempting to access the plugin settings page from an incognito browser window to ensure proper nonce validation.
Update to version 1.2.6, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1208 is a Cross-Site Request Forgery (CSRF) vulnerability in the Friendly Functions for Welcart WordPress plugin, allowing attackers to modify settings via forged requests.
You are affected if you are using Friendly Functions for Welcart version 0.0.0 through 1.2.5. Upgrade to 1.2.6 or later to mitigate the risk.
Upgrade the Friendly Functions for Welcart plugin to version 1.2.6 or later. Consider WAF rules and user access controls as temporary mitigations.
No active exploitation campaigns targeting CVE-2026-1208 have been publicly reported as of this writing.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.