Friendly Functions for Welcart <= 1.2.5 - Cross-Site Request Forgery vers la mise à jour des paramètres

An attacker can exploit this CSRF vulnerability by crafting a malicious request that, when triggered by a site administrator, modifies the plugin's settings. This could lead to unauthorized changes in plugin behavior, potentially impacting e-commerce functionality or exposing sensitive data. The attacker would need to lure the administrator to click a crafted link or visit a malicious webpage. Successful exploitation could compromise the integrity of the Welcart store and its associated data.

WordPress sites using the Friendly Functions for Welcart plugin, particularly those with site administrators who are not adequately trained in security best practices, are at risk. Shared hosting environments where plugin updates are not managed centrally are also more vulnerable.

• wordpress / composer / npm:

grep -r 'settings_update' /var/www/html/wp-content/plugins/friendly-functions-for-welcart/includes/

• generic web:

curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=friendly_functions_settings_update&setting_name=some_setting&new_value=malicious_value | grep -i '200 ok'

1. 2026-01-24Disclosure

   disclosure

1. Réservé2026-01-19
2. Publiée2026-01-24
3. Modifiée2026-04-08
4. EPSS mis à jour2026-03-23

The primary mitigation for CVE-2026-1208 is to immediately upgrade the Friendly Functions for Welcart plugin to version 1.2.6 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests targeting the plugin's settings page. Additionally, enforce strict user access controls and educate administrators about the risks of clicking on untrusted links. After upgrading, confirm the fix by attempting to access the plugin settings page from an incognito browser window to ensure proper nonce validation.

Installations actives

1KNiche

Note du plugin