Description
The Fast & Fancy Filter – 3F plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce verification in the saveFields() function, which handles the fff_save_settins AJAX action. This makes it possible for unauthenticated attackers to modify plugin filter settings, update arbitrary options, or create new filter posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-04-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: CSRF allowing modification of plugin settings
Action: Patch
AI Analysis

Impact

Fast & Fancy Filter – 3F is affected by a missing nonce verification in its fff_save_settins AJAX action, enabling Cross‑Site Request Forgery. This flaw allows an unauthenticated attacker to alter the plugin’s configuration, update arbitrary options, or create new filter posts, effectively compromising the site’s filtering behavior.

Affected Systems

The vulnerability impacts the Fast & Fancy Filter – 3F WordPress plugin, specifically versions 1.2.2 and earlier. Users running this plugin on any WordPress installation are susceptible.

Risk and Exploitability

With a CVSS score of 4.3 and no EPSS data, the risk is moderate. The flaw is not listed in CISA KEV. The attack vector is inferred to be a forged URL that triggers the AJAX request while an administrator is logged in. An attacker must lure an admin into clicking a crafted link, after which plugin settings can be changed without further authentication.

Generated by OpenCVE AI on April 22, 2026 at 10:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fast & Fancy Filter – 3F to the latest version that implements nonce verification for the fff_save_settins AJAX action.
  • If a patch is not available, disable the fff_save_settins action by removing or commenting out the corresponding handler in the plugin’s admin class, thereby preventing unauthenticated requests.
  • Consider disabling the plugin entirely or restricting its use to trusted administrators until the vulnerability is resolved.

Generated by OpenCVE AI on April 22, 2026 at 10:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Webarea
Webarea fast & Fancy Filter – 3f
Wordpress
Wordpress wordpress
Vendors & Products Webarea
Webarea fast & Fancy Filter – 3f
Wordpress
Wordpress wordpress

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Fast & Fancy Filter – 3F plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce verification in the saveFields() function, which handles the fff_save_settins AJAX action. This makes it possible for unauthenticated attackers to modify plugin filter settings, update arbitrary options, or create new filter posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Fast & Fancy Filter – 3F <= 1.2.2 - Cross-Site Request Forgery to Settings Modification via fff_save_settins AJAX Action
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Webarea Fast & Fancy Filter – 3f
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T13:02:37.153Z

Reserved: 2026-04-15T20:16:25.894Z

Link: CVE-2026-6396

cve-icon Vulnrichment

Updated: 2026-04-22T13:02:33.252Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T09:16:26.810

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-6396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:13Z

Weaknesses