Plataforma
wordpress
Componente
the-guardian-news-feed
Corregido en
1.2.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in The Guardian News Feed plugin for WordPress, affecting versions from 0.0.0 through 1.2. This flaw allows unauthenticated attackers to manipulate the plugin's settings, potentially compromising sensitive information like the Guardian API key. The vulnerability stems from a lack of nonce validation during settings updates, enabling forged requests to be executed if an administrator is tricked into performing an action. A fix is available.
Successful exploitation of this CSRF vulnerability allows an attacker to modify the plugin's configuration without authentication. The most critical impact is the potential for an attacker to replace the Guardian API key, effectively hijacking the plugin's functionality and potentially gaining unauthorized access to data. This could lead to data breaches, manipulation of content displayed on the website, or even complete control over the plugin's behavior. The attacker would need to craft a malicious request and trick a site administrator into clicking a link or visiting a page containing the forged request. This is a common attack vector, and while requiring user interaction, the potential impact is significant.
This vulnerability was publicly disclosed on 2026-03-07. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. While the CVSS score indicates a medium severity, the requirement for user interaction limits the immediate exploitation probability.
Websites utilizing The Guardian News Feed plugin, particularly those with shared hosting environments or legacy WordPress configurations, are at increased risk. Sites where administrators are frequently targeted with phishing attacks are also more vulnerable, as attackers could leverage this CSRF flaw to gain control of plugin settings.
• wordpress / composer / npm:
grep -r 'settings_update' /var/www/html/wp-content/plugins/the-guardian-news-feed/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'the-guardian-news-feed'• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=the_guardian_news_feed_settings_update | grep 'CSRF token'disclosure
Estado del Exploit
EPSS
0.01% (2% percentil)
CISA SSVC
Vector CVSS
The primary mitigation is to upgrade The Guardian News Feed plugin to a version containing the fix. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the plugin's settings update endpoint. Specifically, look for requests lacking proper nonce validation. Additionally, restrict access to the plugin's settings page to authorized administrators only. Regularly review plugin settings for any unauthorized modifications. After upgrade, confirm by attempting a settings update as an unauthenticated user and verifying that the request is rejected.
No se conoce ningún parche disponible. Por favor, revise los detalles de la vulnerabilidad en profundidad y emplee mitigaciones basadas en la tolerancia al riesgo de su organización. Puede ser mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-1087 is a Cross-Site Request Forgery (CSRF) vulnerability affecting The Guardian News Feed WordPress plugin versions 0.0.0–1.2, allowing attackers to modify plugin settings.
You are affected if you are using The Guardian News Feed plugin in versions 0.0.0 through 1.2. Upgrade to a patched version to resolve the vulnerability.
Upgrade The Guardian News Feed plugin to the latest available version. If upgrading is not immediately possible, implement a WAF rule to block suspicious requests.
There are currently no known active exploits for CVE-2026-1087, but the vulnerability remains a risk until patched.
Refer to the WordPress plugin repository for updates and advisories related to The Guardian News Feed plugin: [https://wordpress.org/plugins/the-guardian-news-feed/]
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.