Description
The Child Height Predictor by Ostheimer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.3. This is due to missing nonce verification in the options() function, which handles plugin settings updates. The form template does not include a wp_nonce_field() call, and the handler never calls check_admin_referer() or wp_verify_nonce(). This makes it possible for unauthenticated attackers to trick a site administrator into clicking a link or visiting a malicious page that submits a forged POST request, causing unauthorized changes to the plugin settings such as unit preferences to be persisted to the database via update_option().
Published: 2026-05-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Child Height Predictor by Ostheimer WordPress plugin contains a Cross‑Site Request Forgery flaw that lets an unauthenticated attacker submit forged POST requests to the plugin’s settings form. Because the setting‑update handler does not verify a nonce, an administrator who follows a malicious link or visits a crafted page can change options such as unit preferences, which are then persisted to the database with update_option(). The flaw grants the attacker the ability to alter plugin configuration but does not allow execution of code or modification of other WordPress settings.

Affected Systems

All installations of the Child Height Predictor by Ostheimer plugin up to and including version 1.3 are vulnerable. WordPress sites running any of those plugin versions are susceptible whenever the plugin’s settings page is available to administrators; no specific WordPress core versions are mentioned.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. EPSS data is not available, so the likelihood of exploitation is unclear, but the flaw can be abused through a simple malicious link or script that triggers a forged POST. The attacker does not need administrator credentials to craft the request, but practical exploitation requires an administrator to unknowingly submit the request. The threat is limited to the plugin’s configuration settings, which reduces overall damage but can still impact site operation.

Generated by OpenCVE AI on May 20, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Child Height Predictor plugin to a version newer than 1.3, which includes proper nonce validation in the settings handler.
  • If an upgrade is not immediately possible, edit the plugin’s settings form in childheight.php to add a wp_nonce_field() call and modify the options() function to invoke check_admin_referer() or wp_verify_nonce() before calling update_option().
  • As a temporary containment measure, restrict administrator access to the plugin’s settings page or block the settings endpoint with a web application firewall.

Generated by OpenCVE AI on May 20, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Helpstring
Helpstring child Height Predictor By Ostheimer
Wordpress
Wordpress wordpress
Vendors & Products Helpstring
Helpstring child Height Predictor By Ostheimer
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Child Height Predictor by Ostheimer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.3. This is due to missing nonce verification in the options() function, which handles plugin settings updates. The form template does not include a wp_nonce_field() call, and the handler never calls check_admin_referer() or wp_verify_nonce(). This makes it possible for unauthenticated attackers to trick a site administrator into clicking a link or visiting a malicious page that submits a forged POST request, causing unauthorized changes to the plugin settings such as unit preferences to be persisted to the database via update_option().
Title Child Height Predictor by Ostheimer <= 1.3 - Cross-Site Request Forgery to Settings Update via Plugin Settings Form
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Helpstring Child Height Predictor By Ostheimer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T12:59:26.187Z

Reserved: 2026-04-15T20:28:43.917Z

Link: CVE-2026-6400

cve-icon Vulnrichment

Updated: 2026-05-20T12:59:22.628Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T02:16:38.067

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-6400

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:12Z

Weaknesses