Description
The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for unauthenticated attackers to modify plugin configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-02-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated modification of plugin configuration via CSRF
Action: Patch
AI Analysis

Impact

The Whatsiplus Scheduled Notification for WooCommerce plugin contains a Cross‑Site Request Forgery flaw caused by the absence of nonce validation on the wsnfw_save_users_settings AJAX action. An attacker who can coerce a logged‑in administrator into clicking a crafted link or submitting a forged form can alter the plugin’s configuration settings without authentication. The vulnerability only affects the integrity of the plugin’s settings and does not provide code execution or data exfiltration.

Affected Systems

WordPress sites that run the Whatsiplus Scheduled Notification for WooCommerce plugin version 1.0.1 or earlier. Versions newer than 1.0.1 are not affected because the CSRF protection has been added in later releases.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, while the EPSS score of less than 1 % reflects a low likelihood of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires a web‑based CSRF attack: the attacker must prompt a legitimate administrator to perform a request while a logged‑in session is active. This typically involves social engineering, such as a phishing link or malicious form. Given the moderate severity and low exploitation probability, the risk remains manageable but should be mitigated promptly to prevent potential configuration misuse.

Generated by OpenCVE AI on April 15, 2026 at 18:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Whatsiplus Scheduled Notification for WooCommerce plugin to the latest release that includes CSRF protection.
  • If a patch is not yet available, modify the plugin’s wsnfw_save_users_settings AJAX handler to require a valid nonce before processing requests.
  • Restrict access to the AJAX endpoint so that only authenticated users with the appropriate capability can invoke it, for example by adding a capability check or using a firewall rule to block unauthenticated requests.

Generated by OpenCVE AI on April 15, 2026 at 18:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Whatsiplus
Whatsiplus whatsiplus Scheduled Notification For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Whatsiplus
Whatsiplus whatsiplus Scheduled Notification For Woocommerce
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for unauthenticated attackers to modify plugin configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Whatsiplus Scheduled Notification for Woocommerce <= 1.0.1 - Cross-Site Request Forgery to 'wsnfw_save_users_settings' AJAX Action
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Whatsiplus Whatsiplus Scheduled Notification For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:37.063Z

Reserved: 2026-01-26T20:12:04.006Z

Link: CVE-2026-1455

cve-icon Vulnrichment

Updated: 2026-02-19T21:27:55.450Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:44.060

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1455

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses