Set Bulk Post Categories <= 1.1 - 跨站请求伪造到批量文章分类更新

The primary impact of this vulnerability is unauthorized modification of post categories within a WordPress site. An attacker could leverage this to alter the categorization of important content, potentially disrupting site navigation, SEO rankings, or even injecting malicious content. While requiring user interaction (tricking an administrator), the potential for widespread impact on a WordPress site's content integrity is significant. This vulnerability is similar to other CSRF flaws where an attacker can perform actions on behalf of an authenticated user without their knowledge.

WordPress sites utilizing the Set Bulk Post Categories plugin, particularly those with administrative accounts that are regularly targeted by phishing or social engineering attacks, are at risk. Shared hosting environments where multiple WordPress sites share the same server resources are also potentially vulnerable, as a compromise on one site could lead to attacks against others.

• wordpress / composer / npm:

grep -r 'bulk_update_categories' /var/www/html/wp-content/plugins/set-bulk-post-categories/

• generic web:

curl -I https://example.com/wp-admin/admin-post.php?action=set_bulk_post_categories_update | grep -i 'referer'

1. 2026-01-24Disclosure

   disclosure

1. 已保留2026-01-16
2. 发布日期2026-01-24
3. 修改日期2026-04-08
4. EPSS 更新日期2026-03-23

The recommended mitigation is to immediately upgrade the Set Bulk Post Categories plugin to a version that addresses this vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests lacking proper CSRF tokens for the bulk category update endpoint. Additionally, educate administrators about the risks of clicking on suspicious links and verify the authenticity of any requests before confirming them. After upgrading, confirm the fix by attempting a bulk category update as a non-authenticated user and verifying that the action is denied.