Description
The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncff_add_plugin_page() function which handles settings updates. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Published: 2026-03-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Cross‑Site Request Forgery that allows modification of plugin settings
Action: Patch immediately
AI Analysis

Impact

The Neos Connector for Fakturama plugin for WordPress contains a missing nonce check in the ncff_add_plugin_page() routine. This omission enables a Cross‑Site Request Forgery attack: an unauthenticated user can convince a site administrator to send a crafted request that updates plugin configuration. Because the plugin settings govern how Fakturama interacts with the WordPress site, an attacker could change operational parameters, potentially exposing the site to further compromise or disrupting business processes. The weakness is a classic CSRF vulnerability (CWE‑352).

Affected Systems

All installations of the Neos Connector for Fakturama WordPress plugin with version 0.0.14 or earlier. The affected component is the plugin’s admin interface that handles settings updates. The vendor is neo2oo5, product Neos Connector for Fakturama. No additional products are listed.

Risk and Exploitability

The CVSS score of 4.3 indicates a low‑to‑moderate severity. Exploitation requires only that an administrator click a malicious link; the attacker does not need any privileged credentials. No EPSS information is available and the vulnerability is not in the CISA KEV catalog. Given the low effort required once the admin is deceived, the risk for sites that maintain older plugin versions is moderate, especially if they lack additional CSRF protections.

Generated by OpenCVE AI on March 21, 2026 at 07:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Neos Connector for Fakturama to a version newer than 0.0.14.
  • Verify that the plugin’s settings update routine contains proper nonce validation, and modify the code if necessary.
  • If an update cannot be applied immediately, temporarily disable the plugin settings edit capability or restrict access to administrators.
  • Ensure that the broader WordPress installation and all other plugins are up to date.

Generated by OpenCVE AI on March 21, 2026 at 07:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Neo2oo5
Neo2oo5 neos Connector For Fakturama
Wordpress
Wordpress wordpress
Vendors & Products Neo2oo5
Neo2oo5 neos Connector For Fakturama
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncff_add_plugin_page() function which handles settings updates. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Title Neos Connector for Fakturama <= 0.0.14 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Neo2oo5 Neos Connector For Fakturama
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:29.908Z

Reserved: 2026-03-13T15:43:59.960Z

Link: CVE-2026-4143

cve-icon Vulnrichment

Updated: 2026-03-23T16:56:13.605Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:17:42.840

Modified: 2026-04-24T16:27:44.277

Link: CVE-2026-4143

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:33Z

Weaknesses