Description
The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cbox_options_page() function which handles saving, creating, and deleting plugin settings. The form rendered on the settings page does not include a wp_nonce_field(), and the save handler does not call wp_verify_nonce() or check_admin_referer() before processing settings updates via $wpdb->update(). This makes it possible for unauthenticated attackers to modify plugin settings such as call-to-action box title, content, link URL, image URL, colors, and other configuration options via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-04-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration modification via CSRF
Action: Immediate Update
AI Analysis

Impact

The Call To Action Plugin contains a cross‑site request forgery flaw caused by omitted nonce validation in the settings update handler. This defect allows an attacker to send a forged HTTP request that, when executed by an authenticated administrator, will change plugin configuration values such as box title, content, link URL, image URL, and color options. The resulting impact is a compromise of data integrity and potential defacement or phishing of visitors to the site, though it does not provide direct code execution capabilities.

Affected Systems

WordPress sites running the Call To Action Plugin version 3.1.3 or older, the plugin maintained by tmarek, are vulnerable. Any installation of the plugin within this version range is affected.

Risk and Exploitability

The CVSS base score of 4.3 indicates a moderate risk, reflecting that the vulnerability requires administrative interaction for exploitation. The EPSS score is not available and the issue is not listed in CISA KEV. Attackers rely on social engineering to trigger the forged request, typically by convincing a site administrator to click a crafted link. While exploitation potential is limited to users with administrative access, the widespread use of the plugin elevates the overall threat exposure.

Generated by OpenCVE AI on April 22, 2026 at 09:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Call To Action Plugin to a version newer than 3.1.3 that includes nonce validation in the settings update flow.
  • If a patch cannot be applied immediately, restrict access to the plugin settings page by IP or enforce two‑factor authentication for administrators to reduce the chance of a forged request being accepted.
  • As a temporary workaround, manually verify and revert any unintended changes to the plugin settings and monitor the site for anomalous configuration changes.

Generated by OpenCVE AI on April 22, 2026 at 09:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Tmarek
Tmarek call To Action Plugin
Wordpress
Wordpress wordpress
Vendors & Products Tmarek
Tmarek call To Action Plugin
Wordpress
Wordpress wordpress

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cbox_options_page() function which handles saving, creating, and deleting plugin settings. The form rendered on the settings page does not include a wp_nonce_field(), and the save handler does not call wp_verify_nonce() or check_admin_referer() before processing settings updates via $wpdb->update(). This makes it possible for unauthenticated attackers to modify plugin settings such as call-to-action box title, content, link URL, image URL, colors, and other configuration options via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Title Call To Action Plugin <= 3.1.3 - Cross-Site Request Forgery via Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Tmarek Call To Action Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T12:58:39.479Z

Reserved: 2026-03-13T13:21:19.956Z

Link: CVE-2026-4118

cve-icon Vulnrichment

Updated: 2026-04-22T12:58:36.269Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T09:16:23.180

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-4118

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:06Z

Weaknesses