TextP2P Texting Widget <= 1.7 - Cross-Site Request Forgery to Settings Update
翻译中…平台
wordpress
组件
textp2p-texting-widget
修复版本
1.7.1
CVE-2026-4133 describes a Cross-Site Request Forgery (XSRF) vulnerability discovered in the TextP2P Texting Widget plugin for WordPress. This flaw allows attackers to manipulate plugin settings, potentially granting them unauthorized access to sensitive data and functionality. The vulnerability impacts versions 1.0.0 through 1.7, and a fix is pending from the vendor.
检测此 CVE 是否影响你的项目
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
影响与攻击场景翻译中…
An attacker exploiting this XSRF vulnerability can leverage a malicious website or email to trick a logged-in WordPress administrator into unknowingly submitting a forged HTTP request. This request can modify critical plugin settings, including the chat widget title, message content, API credentials used for sending SMS messages, color schemes, and reCAPTCHA configurations. Compromising API credentials could allow an attacker to send SMS messages impersonating the legitimate application, potentially leading to phishing attacks or spam campaigns. Furthermore, manipulation of reCAPTCHA settings could bypass security measures, enabling automated abuse of the texting widget.
利用背景翻译中…
The vulnerability was published on 2026-04-22. Currently, there are no publicly known active campaigns exploiting this specific CVE. The vulnerability's impact is moderate due to the requirement of an authenticated administrator and the potential for disruption rather than complete system compromise. No KEV or EPSS score is currently assigned.
威胁情报
漏洞利用状态
EPSS
0.01% (0% 百分位)
CISA SSVC
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 低 — 无需特殊条件,可以稳定地利用漏洞。
- Privileges Required
- 无 — 无需认证,无需凭证即可利用。
- User Interaction
- 需要 — 受害者必须打开文件、点击链接或访问特制页面。
- Scope
- 未改变 — 影响仅限于脆弱组件本身。
- Confidentiality
- 无 — 无机密性影响。
- Integrity
- 低 — 攻击者可修改部分数据,影响有限。
- Availability
- 无 — 无可用性影响。
受影响的软件
软件包信息
- 活跃安装数
- 30
- 插件评分
- 5.0
- 需要WordPress版本
- 4.0+
- 兼容至
- 6.8.5
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
While a patched version is pending, immediate mitigation steps can reduce the risk. Implement strict input validation and nonce protection on all plugin settings update endpoints. Consider using a WordPress security plugin that provides XSRF protection for all forms. If possible, restrict access to the plugin's settings page to only authorized administrators. Regularly review plugin settings for any unauthorized changes. Until a patch is available, carefully monitor user activity and be wary of suspicious requests.
修复方法翻译中…
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2026-4133 — XSRF in TextP2P Texting Widget?
CVE-2026-4133 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the TextP2P Texting Widget plugin for WordPress versions 1.0.0 through 1.7, allowing attackers to modify plugin settings.
Am I affected by CVE-2026-4133 in TextP2P Texting Widget?
You are affected if your WordPress website uses the TextP2P Texting Widget plugin and is running version 1.0.0 to 1.7. Check your plugin versions immediately.
How do I fix CVE-2026-4133 in TextP2P Texting Widget?
Upgrade to the patched version when available. Until then, implement strict input validation, nonce protection, and restrict access to plugin settings.
Is CVE-2026-4133 being actively exploited?
Currently, there are no publicly known active campaigns exploiting this specific CVE, but it's crucial to apply mitigations proactively.
Where can I find the official TextP2P Texting Widget advisory for CVE-2026-4133?
Refer to the vendor's website or WordPress plugin repository for updates and official advisories regarding CVE-2026-4133.