Plateforme
wordpress
Composant
neos-connector-for-fakturama
Corrigé dans
0.0.15
CVE-2026-4143 describes a Cross-Site Request Forgery (XSRF) vulnerability discovered in the Neos Connector for Fakturama plugin for WordPress. This flaw allows unauthenticated attackers to potentially modify plugin settings, compromising site administrator control. The vulnerability affects versions from 0.0.0 through 0.0.14. A fix is expected in a future plugin release.
The XSRF vulnerability in Neos Connector for Fakturama allows an attacker to craft malicious requests that appear to originate from a legitimate user, specifically a site administrator. By tricking an administrator into clicking a specially crafted link or visiting a malicious website, the attacker can execute arbitrary actions within the plugin's settings. This could include modifying invoice generation rules, payment configurations, or other critical plugin parameters. Successful exploitation could lead to data manipulation, financial loss, or disruption of business operations. While the plugin itself may not directly expose sensitive data, modifications to its settings could indirectly impact the security and integrity of the WordPress site.
CVE-2026-4143 was publicly disclosed on 2026-03-21. No public proof-of-concept (POC) code has been released at the time of writing. The EPSS score is pending evaluation. The vulnerability is listed on the NVD (National Vulnerability Database) and is being tracked by CISA.
WordPress websites utilizing the Neos Connector for Fakturama plugin, particularly those with shared hosting environments or legacy configurations lacking robust security measures, are at increased risk. Sites where administrator accounts are not adequately protected with strong passwords and multi-factor authentication are also more vulnerable.
• wordpress / composer / npm:
grep -r 'ncff_add_plugin_page' /var/www/html/wp-content/plugins/neos-connector-for-fakturama/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-post.php?action=ncff_add_plugin_page&setting_name=some_setting&some_value=malicious_value• wordpress / composer / npm:
wp plugin list --status=all | grep 'neos-connector-for-fakturama'disclosure
Statut de l'Exploit
EPSS
0.01% (percentile 3%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-4143 is to upgrade to a patched version of the Neos Connector for Fakturama plugin as soon as it becomes available. Until a patch is released, implement temporary workarounds to reduce the risk. These include carefully reviewing all plugin settings changes and implementing stricter access controls for WordPress administrator accounts. Consider using a WordPress security plugin with XSRF protection features. Implement a Web Application Firewall (WAF) with XSRF filtering rules to block suspicious requests. Monitor WordPress access logs for unusual activity and suspicious URLs.
Aucun correctif connu n'est disponible. Veuillez examiner en profondeur les détails de la vulnérabilité et mettre en œuvre des mesures d'atténuation en fonction de la tolérance au risque de votre organisation. Il peut être préférable de désinstaller le logiciel affecté et de trouver un remplacement.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-4143 is a Cross-Site Request Forgery (XSRF) vulnerability in the Neos Connector for Fakturama WordPress plugin, allowing attackers to potentially modify plugin settings via forged requests.
You are affected if you are using the Neos Connector for Fakturama plugin in versions 0.0.0 through 0.0.14. Upgrade to a patched version as soon as available.
The recommended fix is to upgrade to a patched version of the plugin. Until a patch is released, implement temporary workarounds like stricter access controls and WAF rules.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the plugin developer's website or WordPress plugin repository for updates and advisories related to CVE-2026-4143.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.