Description
The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_manage() function which handles feed deletion via the 'delete' GET parameter. This makes it possible for unauthenticated attackers to delete arbitrary plugin feed data (from alfie_colindex, alfie_producten, alfie_reactions, and alfie_searchproduct tables) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-05-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Alfie – Feed Plugin for WordPress contains a CSRF vulnerability in all releases up to and including version 1.2.1. The core issue is missing nonce validation within the alfie_manage() function when handling the 'delete' GET parameter. This omission allows an attacker to craft a request that, if authorized users are tricked into visiting it, will invoke the feed deletion routine and permanently remove data from several plugin tables (alfie_colindex, alfie_producten, alfie_reactions, and alfie_searchproduct). Because the vulnerability directly bypasses any form of authentication verification, the impact is the loss of data integrity for the plugin’s feeds.

Affected Systems

WordPress sites running the Alfie – Feed Plugin version 1.2.1 or earlier. Any installation of the plugin from the pftool:Alfie vendor package is therefore susceptible. The specific tables affected store the plugin’s feed definitions, product entries, reaction logs, and search product entries.

Risk and Exploitability

The CVSS score of 4.3 categorizes this as a moderate severity issue. No EPSS value is available, and the vulnerability is not listed in CISA’s KEV catalog, which suggests the probability of widespread exploitation remains unquantified. The attack vector is inferred to be CSRF via a forged GET request that an attacker can embed in a link or form, relying on an administrative user visiting the link while authenticated. Once triggered, the attacker can delete arbitrary feed data without needing any privileged credentials, but only while the victim’s session remains active.

Generated by OpenCVE AI on May 22, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Alfie – Feed Plugin to the latest released version, which restores proper nonce validation and removes the CSRF flaw.
  • If an immediate update is not possible, add your own nonce check to the plugin’s delete action to ensure that only authenticated, intended requests are processed—this can be done by editing the delete link to include a valid WordPress nonce and changing the handler to require a POST request with verification.
  • Enable two‑factor authentication for administrative accounts and restrict admin area access to known IP ranges to reduce the likelihood that a logged‑in admin will be tricked into following a malicious link.

Generated by OpenCVE AI on May 22, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Pftool
Pftool alfie – Feed Plugin
Wordpress
Wordpress wordpress
Vendors & Products Pftool
Pftool alfie – Feed Plugin
Wordpress
Wordpress wordpress

Fri, 22 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_manage() function which handles feed deletion via the 'delete' GET parameter. This makes it possible for unauthenticated attackers to delete arbitrary plugin feed data (from alfie_colindex, alfie_producten, alfie_reactions, and alfie_searchproduct tables) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Alfie <= 1.2.1 - Cross-Site Request Forgery to Feed Deletion via 'delete' Parameter
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Pftool Alfie – Feed Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-23T02:26:29.032Z

Reserved: 2026-03-12T19:42:43.120Z

Link: CVE-2026-4070

cve-icon Vulnrichment

Updated: 2026-05-23T02:26:24.437Z

cve-icon NVD

Status : Received

Published: 2026-05-22T05:16:27.233

Modified: 2026-05-22T05:16:27.233

Link: CVE-2026-4070

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T06:30:29Z

Weaknesses