平台
wordpress
组件
friendly-functions-for-welcart
修复版本
1.2.6
CVE-2026-1208 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Friendly Functions for Welcart plugin for WordPress. This flaw allows unauthenticated attackers to potentially modify plugin settings if they can trick a site administrator into performing an action. The vulnerability impacts versions 0.0.0 through 1.2.5, and a patch is available in version 1.2.6.
An attacker can exploit this CSRF vulnerability by crafting a malicious request that, when triggered by a site administrator, modifies the plugin's settings. This could lead to unauthorized changes in plugin behavior, potentially impacting e-commerce functionality or exposing sensitive data. The attacker would need to lure the administrator to click a crafted link or visit a malicious webpage. Successful exploitation could compromise the integrity of the Welcart store and its associated data.
This vulnerability was publicly disclosed on 2026-01-24. No known public exploits or active campaigns targeting this specific vulnerability have been reported as of this writing. It is not currently listed on the CISA KEV catalog. The ease of exploitation is moderate, relying on social engineering to trick administrators.
WordPress sites using the Friendly Functions for Welcart plugin, particularly those with site administrators who are not adequately trained in security best practices, are at risk. Shared hosting environments where plugin updates are not managed centrally are also more vulnerable.
• wordpress / composer / npm:
grep -r 'settings_update' /var/www/html/wp-content/plugins/friendly-functions-for-welcart/includes/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=friendly_functions_settings_update&setting_name=some_setting&new_value=malicious_value | grep -i '200 ok'disclosure
漏洞利用状态
EPSS
0.01% (0% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-1208 is to immediately upgrade the Friendly Functions for Welcart plugin to version 1.2.6 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests targeting the plugin's settings page. Additionally, enforce strict user access controls and educate administrators about the risks of clicking on untrusted links. After upgrading, confirm the fix by attempting to access the plugin settings page from an incognito browser window to ensure proper nonce validation.
更新到 1.2.6 版本,或更新的修复版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-1208 is a Cross-Site Request Forgery (CSRF) vulnerability in the Friendly Functions for Welcart WordPress plugin, allowing attackers to modify settings via forged requests.
You are affected if you are using Friendly Functions for Welcart version 0.0.0 through 1.2.5. Upgrade to 1.2.6 or later to mitigate the risk.
Upgrade the Friendly Functions for Welcart plugin to version 1.2.6 or later. Consider WAF rules and user access controls as temporary mitigations.
No active exploitation campaigns targeting CVE-2026-1208 have been publicly reported as of this writing.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。