Description
The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing nonce validation in the birdseed_plugin_settings_page() function. The function processes the 'birdseed_token' GET parameter and saves it to the database via update_option() without verifying a nonce. This makes it possible for unauthenticated attackers to change the plugin's BirdSeed token setting via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Published: 2026-06-02
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The affected BirdSeed plugin accepts the 'birdseed_token' GET parameter in its settings page and saves the value to the database without validating a nonce. This deficiency enables any user to post a forged request that changes the plugin’s token configuration. The primary consequence is that an attacker could alter the token used for birdseed interactions, potentially subverting the plugin’s intended functionality or creating a point of entry for further compromise. The flaw is identified as a Cross‑Site Request Forgery weakness (CWE‑352).

Affected Systems

The vulnerability applies to all installations of the BirdSeed WordPress plugin from the initial release through version 2.2.0. Any WordPress site that has installed BirdSeed during this period is considered exposed. Administrators using older versions without the fix should be made aware that their sites could allow third‑party actors to tamper with the birdseed token setting.

Risk and Exploitability

The CVSS score of 4.3 reflects a low‑to‑moderate risk that does not require privileged access, but it does necessitate an administrator to click a crafted link or form submission. Because the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the exploitation probability is uncertain, yet the attack requires user interaction. The lack of a nonce check means the vulnerability is trivial to trigger for those targeting sites where administrators might be inadvertently tricked into approving an unexpected request.

Generated by OpenCVE AI on June 2, 2026 at 09:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the BirdSeed plugin to a version that includes nonce validation, ensuring version 2.3.0 or later is installed.
  • Re‑configure the BirdSeed token setting after the update to confirm that the correct value is stored and that no unauthorized changes have persisted.
  • Review WordPress administrative pages to guarantee that all custom forms and settings use proper nonces, and consider installing a comprehensive security plugin to enforce CSRF protection across the site.

Generated by OpenCVE AI on June 2, 2026 at 09:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Birdseedapp
Birdseedapp birdseed
Wordpress
Wordpress wordpress
Vendors & Products Birdseedapp
Birdseedapp birdseed
Wordpress
Wordpress wordpress

Tue, 02 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
Description The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing nonce validation in the birdseed_plugin_settings_page() function. The function processes the 'birdseed_token' GET parameter and saves it to the database via update_option() without verifying a nonce. This makes it possible for unauthenticated attackers to change the plugin's BirdSeed token setting via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Title BirdSeed <= 2.2.0 - Cross-Site Request Forgery via BirdSeed Token Change
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Birdseedapp Birdseed
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-02T10:46:52.069Z

Reserved: 2026-03-12T19:44:37.384Z

Link: CVE-2026-4071

cve-icon Vulnrichment

Updated: 2026-06-02T10:46:47.025Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T09:16:16.377

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-4071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:52:04Z

Weaknesses