Platform
wordpress
Component
mcatfilter
Opgelost in
0.5.3
0.5.3
CVE-2026-4139 affects the mCatFilter plugin for WordPress, impacting versions up to 0.5.2. This vulnerability is a Cross-Site Request Forgery (CSRF) flaw stemming from a lack of input validation and capability checks. Successful exploitation allows an attacker to modify plugin settings, potentially leading to unauthorized changes and impacting website functionality.
The core of the vulnerability lies within the computepost() function, which directly processes $POST data to update plugin settings using updateoption() without any CSRF token validation. Because this function is called on every page load via the pluginsloaded hook, an attacker can craft malicious requests to modify any plugin setting. This could involve altering category mappings, changing display options, or even disabling security features, effectively compromising the website's configuration. The lack of authentication checks means an unauthenticated attacker can perform these actions. The potential impact extends beyond simple configuration changes; an attacker could leverage modified settings to inject malicious content or redirect users to phishing sites, escalating the attack.
CVE-2026-4139 was published on 2026-04-21. There is no indication of this vulnerability being actively exploited in the wild, nor is it listed on KEV or EPSS. The CVSS score of 4.3 (Medium) suggests a moderate level of exploitability and potential impact. Public proof-of-concept (POC) code is not currently available, but the vulnerability's nature makes it relatively straightforward to exploit.
Exploit Status
EPSS
0.01% (0% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-4139 is to upgrade to a patched version of the mCatFilter plugin. Unfortunately, a fixed version is not explicitly mentioned in the CVE details. As a temporary workaround, consider implementing a Web Application Firewall (WAF) rule to filter requests to the computepost() function, specifically looking for suspicious $POST data patterns. Another approach is to restrict access to the plugin's settings page using WordPress's role-based access control, limiting who can modify the settings. After upgrading (or implementing a workaround), verify the plugin's settings have not been altered by reviewing the configuration and testing key functionalities.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-4139 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the mCatFilter WordPress plugin versions up to 0.5.2. It allows attackers to modify plugin settings without authentication due to missing security checks.
You are affected if you are using the mCatFilter WordPress plugin version 0.5.2 or earlier. Check your plugin version using the WordPress plugin list.
Upgrade to a patched version of the mCatFilter plugin. As a temporary workaround, implement a WAF rule or restrict access to the plugin's settings page.
There is currently no public evidence of CVE-2026-4139 being actively exploited in the wild.
Refer to the WordPress plugin repository and the mCatFilter plugin's website for updates and advisories related to CVE-2026-4139.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.