Description
The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gc_crud() function which handles the delete action (action=delete) via a GET request without any wp_verify_nonce() / check_admin_referer() call. This makes it possible for unauthenticated attackers to delete arbitrary game catalog entries (including the associated WordPress post created for the game) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-05-20
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Games Catalog plugin contains a CSRF vulnerability where the delete action is triggered via a GET request without nonce validation. An attacker can craft a malicious URL and trick an administrator into invoking the link, leading to the removal of game catalog items and the WordPress posts created for them. The loss is data integrity and availability, as administrative control over the catalog is compromised.

Affected Systems

WordPress sites running the Games Catalog plugin by askywhale, version 1.2.0 or earlier. No other products are affected.

Risk and Exploitability

The CVSS score of 4.3 places this vulnerability in the moderate range. EPSS data is not available, and it is not listed in CISA’s KEV catalog. The likely attack vector is social engineering; an attacker must convince an administrator to click a malicious link, which then triggers the delete action when the plugin mistakenly accepts the request without verification. Because the flaw is not network‑exposed on its own, exploitation requires that the target site has an admin user who can be induced to open the crafted URL. The impact is limited to deletion of catalog data, but it can effectively erase user content and disrupt site functionality.

Generated by OpenCVE AI on May 20, 2026 at 03:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Games Catalog plugin to a version newer than 1.2.0 where the CSRF protection has been added.
  • Deploy a web application firewall or security plugin that blocks or logs unexpected GET requests to the deletion endpoint and requires proper authentication.
  • Perform regular backups of the WordPress database and verify that game catalog data can be restored in case of accidental or malicious deletion.

Generated by OpenCVE AI on May 20, 2026 at 03:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Askywhale
Askywhale games Catalog
Wordpress
Wordpress wordpress
Vendors & Products Askywhale
Askywhale games Catalog
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gc_crud() function which handles the delete action (action=delete) via a GET request without any wp_verify_nonce() / check_admin_referer() call. This makes it possible for unauthenticated attackers to delete arbitrary game catalog entries (including the associated WordPress post created for the game) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Title Games Catalog <= 1.2.0 - Cross-Site Request Forgery to Arbitrary Game/Post Deletion
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Askywhale Games Catalog
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T01:25:44.064Z

Reserved: 2026-05-12T17:41:58.391Z

Link: CVE-2026-8418

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T02:16:39.827

Modified: 2026-05-20T02:16:39.827

Link: CVE-2026-8418

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:36Z

Weaknesses