Call To Action Plugin <= 3.1.3 - Cross-Site Request Forgery via Settings Update
wordt vertaald…Platform
wordpress
Component
call-to-action-plugin
Opgelost in
3.1.4
3.1.4
CVE-2026-4118 affects the Call To Action Plugin for WordPress, impacting versions up to and including 3.1.3. This vulnerability is a Cross-Site Request Forgery (CSRF) issue stemming from inadequate nonce validation when saving plugin settings. Successful exploitation allows an attacker to modify plugin configurations, potentially impacting website functionality and user experience.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
The core impact of CVE-2026-4118 lies in the ability of an attacker to manipulate the Call To Action Plugin's settings without proper authentication. This could involve altering call-to-action box titles, content, and other configurations. While not directly leading to data exfiltration or system compromise, unauthorized modifications can disrupt website operations, mislead users, and potentially be leveraged as part of a broader attack chain. An attacker could craft malicious links or embed them in emails to trick legitimate users into unknowingly executing requests that modify the plugin's behavior. The blast radius is limited to the plugin's functionality and the website's overall user experience, but the ease of exploitation makes it a significant concern for WordPress sites using this plugin.
Uitbuitingscontextwordt vertaald…
CVE-2026-4118 was published on 2026-04-21. Its severity is currently rated as Medium (CVSS 4.3). No public Proof-of-Concept (POC) exploits have been identified as of this writing. It is not currently listed on KEV or EPSS, suggesting a low to medium probability of active exploitation. Monitor WordPress security advisories and vulnerability databases for updates.
Dreigingsinformatie
Exploit Status
EPSS
0.01% (1% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Geen — geen vertrouwelijkheidsimpact.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Pakketinformatie
- Actieve installaties
- 20
- Plugin-beoordeling
- 3.0
- Vereist WordPress
- 2.0.2+
- Compatibel tot
- 3.3.2
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2026-4118 is to upgrade the Call To Action Plugin to a version that addresses the nonce validation issue. The vendor has not yet released a fixed version as of the publication date, so a temporary workaround involves implementing a Web Application Firewall (WAF) rule to filter out requests to the cboxoptionspage() endpoint that lack proper CSRF protection. Alternatively, restrict access to the plugin's settings page to authenticated administrators only. Carefully review any third-party plugins or themes that interact with the Call To Action Plugin, as they might be susceptible to similar CSRF vulnerabilities. After upgrading, verify the fix by attempting to modify plugin settings via a crafted CSRF request and confirming that the request is rejected.
Hoe te verhelpenwordt vertaald…
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2026-4118 — CSRF in Call To Action Plugin?
CVE-2026-4118 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Call To Action Plugin for WordPress versions up to 3.1.3. It allows attackers to modify plugin settings without authentication.
Am I affected by CVE-2026-4118 in Call To Action Plugin?
Yes, if you are using the Call To Action Plugin for WordPress and are running version 3.1.3 or earlier, you are potentially affected by this CSRF vulnerability.
How do I fix CVE-2026-4118 in Call To Action Plugin?
Upgrade the Call To Action Plugin to a patched version as soon as it becomes available. Until then, implement a WAF rule or restrict access to the plugin settings page.
Is CVE-2026-4118 being actively exploited?
As of the current assessment, CVE-2026-4118 is not known to be actively exploited, but the ease of exploitation warrants vigilance.
Where can I find the official Call To Action Plugin advisory for CVE-2026-4118?
Refer to the Call To Action Plugin's official website or WordPress plugin repository for updates and advisories related to CVE-2026-4118.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.