Platform
wordpress
Component
neos-connector-for-fakturama
Fixed in
0.0.15
CVE-2026-4143 describes a Cross-Site Request Forgery (XSRF) vulnerability discovered in the Neos Connector for Fakturama plugin for WordPress. This flaw allows unauthenticated attackers to potentially modify plugin settings, compromising site administrator control. The vulnerability affects versions from 0.0.0 through 0.0.14. A fix is expected in a future plugin release.
The XSRF vulnerability in Neos Connector for Fakturama allows an attacker to craft malicious requests that appear to originate from a legitimate user, specifically a site administrator. By tricking an administrator into clicking a specially crafted link or visiting a malicious website, the attacker can execute arbitrary actions within the plugin's settings. This could include modifying invoice generation rules, payment configurations, or other critical plugin parameters. Successful exploitation could lead to data manipulation, financial loss, or disruption of business operations. While the plugin itself may not directly expose sensitive data, modifications to its settings could indirectly impact the security and integrity of the WordPress site.
CVE-2026-4143 was publicly disclosed on 2026-03-21. No public proof-of-concept (POC) code has been released at the time of writing. The EPSS score is pending evaluation. The vulnerability is listed on the NVD (National Vulnerability Database) and is being tracked by CISA.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4143 is to upgrade to a patched version of the Neos Connector for Fakturama plugin as soon as it becomes available. Until a patch is released, implement temporary workarounds to reduce the risk. These include carefully reviewing all plugin settings changes and implementing stricter access controls for WordPress administrator accounts. Consider using a WordPress security plugin with XSRF protection features. Implement a Web Application Firewall (WAF) with XSRF filtering rules to block suspicious requests. Monitor WordPress access logs for unusual activity and suspicious URLs.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4143 is a Cross-Site Request Forgery (XSRF) vulnerability in the Neos Connector for Fakturama WordPress plugin, allowing attackers to potentially modify plugin settings via forged requests.
You are affected if you are using the Neos Connector for Fakturama plugin in versions 0.0.0 through 0.0.14. Upgrade to a patched version as soon as available.
The recommended fix is to upgrade to a patched version of the plugin. Until a patch is released, implement temporary workarounds like stricter access controls and WAF rules.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the plugin developer's website or WordPress plugin repository for updates and advisories related to CVE-2026-4143.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.