Platform
wordpress
Component
textp2p-texting-widget
Opgelost in
1.7.1
CVE-2026-4133 describes a Cross-Site Request Forgery (XSRF) vulnerability discovered in the TextP2P Texting Widget plugin for WordPress. This flaw allows attackers to manipulate plugin settings, potentially granting them unauthorized access to sensitive data and functionality. The vulnerability impacts versions 1.0.0 through 1.7, and a fix is pending from the vendor.
An attacker exploiting this XSRF vulnerability can leverage a malicious website or email to trick a logged-in WordPress administrator into unknowingly submitting a forged HTTP request. This request can modify critical plugin settings, including the chat widget title, message content, API credentials used for sending SMS messages, color schemes, and reCAPTCHA configurations. Compromising API credentials could allow an attacker to send SMS messages impersonating the legitimate application, potentially leading to phishing attacks or spam campaigns. Furthermore, manipulation of reCAPTCHA settings could bypass security measures, enabling automated abuse of the texting widget.
The vulnerability was published on 2026-04-22. Currently, there are no publicly known active campaigns exploiting this specific CVE. The vulnerability's impact is moderate due to the requirement of an authenticated administrator and the potential for disruption rather than complete system compromise. No KEV or EPSS score is currently assigned.
Exploit Status
EPSS
0.01% (0% percentiel)
CISA SSVC
CVSS-vector
While a patched version is pending, immediate mitigation steps can reduce the risk. Implement strict input validation and nonce protection on all plugin settings update endpoints. Consider using a WordPress security plugin that provides XSRF protection for all forms. If possible, restrict access to the plugin's settings page to only authorized administrators. Regularly review plugin settings for any unauthorized changes. Until a patch is available, carefully monitor user activity and be wary of suspicious requests.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-4133 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the TextP2P Texting Widget plugin for WordPress versions 1.0.0 through 1.7, allowing attackers to modify plugin settings.
You are affected if your WordPress website uses the TextP2P Texting Widget plugin and is running version 1.0.0 to 1.7. Check your plugin versions immediately.
Upgrade to the patched version when available. Until then, implement strict input validation, nonce protection, and restrict access to plugin settings.
Currently, there are no publicly known active campaigns exploiting this specific CVE, but it's crucial to apply mitigations proactively.
Refer to the vendor's website or WordPress plugin repository for updates and official advisories regarding CVE-2026-4133.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.