Neos Connector for Fakturama <= 0.0.14 - Cross-Site Request Forgery para Atualização de Configurações

The XSRF vulnerability in Neos Connector for Fakturama allows an attacker to craft malicious requests that appear to originate from a legitimate user, specifically a site administrator. By tricking an administrator into clicking a specially crafted link or visiting a malicious website, the attacker can execute arbitrary actions within the plugin's settings. This could include modifying invoice generation rules, payment configurations, or other critical plugin parameters. Successful exploitation could lead to data manipulation, financial loss, or disruption of business operations. While the plugin itself may not directly expose sensitive data, modifications to its settings could indirectly impact the security and integrity of the WordPress site.

WordPress websites utilizing the Neos Connector for Fakturama plugin, particularly those with shared hosting environments or legacy configurations lacking robust security measures, are at increased risk. Sites where administrator accounts are not adequately protected with strong passwords and multi-factor authentication are also more vulnerable.

• wordpress / composer / npm:

grep -r 'ncff_add_plugin_page' /var/www/html/wp-content/plugins/neos-connector-for-fakturama/

• generic web:

curl -I https://your-wordpress-site.com/wp-admin/admin-post.php?action=ncff_add_plugin_page&setting_name=some_setting&some_value=malicious_value

• wordpress / composer / npm:

wp plugin list --status=all | grep 'neos-connector-for-fakturama'

1. 2026-03-21Disclosure

   disclosure

1. Reservado2026-03-13
2. Publicada2026-03-21
3. Modificada2026-04-08
4. EPSS atualizado2026-03-28

The primary mitigation for CVE-2026-4143 is to upgrade to a patched version of the Neos Connector for Fakturama plugin as soon as it becomes available. Until a patch is released, implement temporary workarounds to reduce the risk. These include carefully reviewing all plugin settings changes and implementing stricter access controls for WordPress administrator accounts. Consider using a WordPress security plugin with XSRF protection features. Implement a Web Application Firewall (WAF) with XSRF filtering rules to block suspicious requests. Monitor WordPress access logs for unusual activity and suspicious URLs.

Instalações ativas

20

Avaliação do plugin