Description
The Bigfishgames Syndicate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the bigfishgames_syndicate_submenu() function. This makes it possible for unauthenticated attackers to reset plugin settings and update them via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-05-20
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Bigfishgames Syndicate WordPress plugin permits a cross‑site request forgery attack through the bigfishgames_syndicate_submenu() function where nonce validation is missing or incorrect. An attacker who can convince a site administrator to click a malicious link can reset the plugin’s configuration and then update it with arbitrary values, potentially misconfiguring the plugin and compromising site functionality or security. The flaw does not provide direct code execution but can lead to indirect damage by changing settings in a way that may weaken site defenses or alter content.

Affected Systems

WordPress sites running the Bigfishgames Syndicate plugin, versions 1.2 and earlier.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk, and the EPSS score is not available, while the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the victim administrator to perform an action such as clicking a link, which makes the attack vector an unauthenticated CSRF triggered by social engineering. Because the vulnerability only allows configuration changes, the impact is limited to the plugin but can still affect site security and functionality if the parameters are misconfigured.

Generated by OpenCVE AI on May 20, 2026 at 03:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bigfishgames Syndicate plugin to the latest available version that includes proper nonce validation.
  • If an updated version is not yet released, disable or remove the plugin from the WordPress installation until a patched version becomes available.
  • For sites that must continue to use the plugin, review the source code or apply a custom patch to ensure that a valid nonce is checked before any settings can be reset or updated, and restrict the settings page access to administrators only.

Generated by OpenCVE AI on May 20, 2026 at 03:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Ktulhu
Ktulhu bigfishgames Syndicate
Wordpress
Wordpress wordpress
Vendors & Products Ktulhu
Ktulhu bigfishgames Syndicate
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Bigfishgames Syndicate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the bigfishgames_syndicate_submenu() function. This makes it possible for unauthenticated attackers to reset plugin settings and update them via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Bigfishgames Syndicate <= 1.2 - Cross-Site Request Forgery to Settings Reset and Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Ktulhu Bigfishgames Syndicate
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T01:25:49.120Z

Reserved: 2026-04-16T19:41:19.813Z

Link: CVE-2026-6452

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T02:16:38.497

Modified: 2026-05-20T02:16:38.497

Link: CVE-2026-6452

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:28Z

Weaknesses