प्लेटफ़ॉर्म
wordpress
घटक
the-guardian-news-feed
में ठीक किया गया
1.2.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in The Guardian News Feed plugin for WordPress, affecting versions from 0.0.0 through 1.2. This flaw allows unauthenticated attackers to manipulate the plugin's settings, potentially compromising sensitive information like the Guardian API key. The vulnerability stems from a lack of nonce validation during settings updates, enabling forged requests to be executed if an administrator is tricked into performing an action. A fix is available.
Successful exploitation of this CSRF vulnerability allows an attacker to modify the plugin's configuration without authentication. The most critical impact is the potential for an attacker to replace the Guardian API key, effectively hijacking the plugin's functionality and potentially gaining unauthorized access to data. This could lead to data breaches, manipulation of content displayed on the website, or even complete control over the plugin's behavior. The attacker would need to craft a malicious request and trick a site administrator into clicking a link or visiting a page containing the forged request. This is a common attack vector, and while requiring user interaction, the potential impact is significant.
This vulnerability was publicly disclosed on 2026-03-07. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. While the CVSS score indicates a medium severity, the requirement for user interaction limits the immediate exploitation probability.
Websites utilizing The Guardian News Feed plugin, particularly those with shared hosting environments or legacy WordPress configurations, are at increased risk. Sites where administrators are frequently targeted with phishing attacks are also more vulnerable, as attackers could leverage this CSRF flaw to gain control of plugin settings.
• wordpress / composer / npm:
grep -r 'settings_update' /var/www/html/wp-content/plugins/the-guardian-news-feed/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'the-guardian-news-feed'• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=the_guardian_news_feed_settings_update | grep 'CSRF token'disclosure
एक्सप्लॉइट स्थिति
EPSS
0.01% (2% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to upgrade The Guardian News Feed plugin to a version containing the fix. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the plugin's settings update endpoint. Specifically, look for requests lacking proper nonce validation. Additionally, restrict access to the plugin's settings page to authorized administrators only. Regularly review plugin settings for any unauthorized modifications. After upgrade, confirm by attempting a settings update as an unauthenticated user and verifying that the request is rejected.
कोई ज्ञात पैच उपलब्ध नहीं है। कृपया भेद्यता (vulnerability) के विवरण की गहराई से समीक्षा करें और अपने संगठन के जोखिम सहनशीलता के आधार पर शमन (mitigations) लागू करें। प्रभावित सॉफ़्टवेयर को अनइंस्टॉल करना और प्रतिस्थापन खोजना सबसे अच्छा हो सकता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-1087 is a Cross-Site Request Forgery (CSRF) vulnerability affecting The Guardian News Feed WordPress plugin versions 0.0.0–1.2, allowing attackers to modify plugin settings.
You are affected if you are using The Guardian News Feed plugin in versions 0.0.0 through 1.2. Upgrade to a patched version to resolve the vulnerability.
Upgrade The Guardian News Feed plugin to the latest available version. If upgrading is not immediately possible, implement a WAF rule to block suspicious requests.
There are currently no known active exploits for CVE-2026-1087, but the vulnerability remains a risk until patched.
Refer to the WordPress plugin repository for updates and advisories related to The Guardian News Feed plugin: [https://wordpress.org/plugins/the-guardian-news-feed/]
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।