Platform
wordpress
Component
xhanch-my-advanced-settings
Opgelost in
1.1.3
CVE-2026-3332 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Xhanch – My Advanced Settings plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings if they can trick a site administrator into performing a malicious action. The vulnerability affects versions 1.0.0 through 1.1.2, and a patch is available in version 1.1.3.
The primary impact of CVE-2026-3332 is the potential for unauthorized modification of plugin settings. An attacker could leverage this CSRF vulnerability to alter the plugin's favicon URL, inject a Google Analytics account ID, or toggle various WordPress behavior settings. While seemingly minor, these changes could be used for phishing attacks, tracking user behavior without consent, or subtly altering the website's appearance to mislead visitors. The attacker needs to trick an administrator into clicking a malicious link, making social engineering a key component of exploitation.
CVE-2026-3332 was publicly disclosed on 2026-03-21. No known public proof-of-concept exploits are currently available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively simple nature of CSRF exploitation and the plugin's popularity, it is possible that attackers may develop and deploy exploits in the future.
WordPress websites utilizing the Xhanch – My Advanced Settings plugin, particularly those with administrative accounts that are not adequately trained in security best practices, are at risk. Shared hosting environments where multiple websites share the same server resources could also be affected, as a compromise of one site could potentially lead to the exploitation of others.
• wordpress / composer / npm:
grep -r 'xms_setting()' /var/www/html/wp-content/plugins/xhanch-my-advanced-settings/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=xms_setting&setting_name=favicon_url | grep -i '200 OK'disclosure
Exploit Status
EPSS
0.01% (2% percentiel)
CISA SSVC
CVSS-vector
The recommended mitigation for CVE-2026-3332 is to immediately upgrade the Xhanch – My Advanced Settings plugin to version 1.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out requests to the xms_setting() endpoint that lack proper nonce validation. Additionally, educate administrators about the risks of clicking on suspicious links and verify the authenticity of any requests before submitting them. After upgrading, confirm the fix by attempting to submit a forged request to the settings update handler and verifying that it is rejected.
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid grondig en pas mitigaties toe op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te vinden.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-3332 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Xhanch – My Advanced Settings WordPress plugin, allowing attackers to modify settings via forged requests.
You are affected if you are using Xhanch – My Advanced Settings plugin versions 1.0.0 through 1.1.2.
Upgrade the Xhanch – My Advanced Settings plugin to version 1.1.3 or later. Consider WAF rules as a temporary workaround.
No active exploitation has been confirmed at this time, but the vulnerability is considered potentially exploitable.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.