Description
The Genzel breadcrumbs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the _options_page function. This makes it possible for unauthenticated attackers to update the plugin's breadcrumb configuration, including templates, delimiter, home label, home URI, and breadcrumb rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-05-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Genzel Breadcrumbs WordPress plugin is vulnerable to Cross‑Site Request Forgery in all versions up to and including 1.2. The flaw arises from missing or incorrect nonce validation on the settings page, enabling an attacker to forge a request that updates the breadcrumb configuration. An attacker who tricks a logged‑in site administrator into clicking a malicious link could change the breadcrumb templates, delimiters, home label, home URI, and breadcrumb rules. This does not provide remote code execution but can alter site navigation and potentially hide malicious URLs or mislead users.

Affected Systems

All installations of the Genzel Breadcrumbs plugin running version 1.2 or earlier are affected. No specific patch versions are listed for higher releases, but any update beyond 1.2 should resolve the vulnerability.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. The likely attack vector is CSRF; an attacker must persuade an administrator to visit a crafted link while authenticated. No privileged escalation or remote code execution is required, but the impact on site configuration warrants timely remediation.

Generated by OpenCVE AI on May 27, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Genzel Breadcrumbs plugin to a version newer than 1.2; the latest releases include the required nonce validation.
  • If the plugin cannot be upgraded, disable or uninstall it to eliminate the vulnerability.
  • Modify the plugin’s settings form to include a nonce field and validate it on submission with the WordPress routine check_admin_referer before applying any changes.
  • Restrict the settings page to administrators only and advise admins to avoid clicking links from untrusted sources.

Generated by OpenCVE AI on May 27, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Shra
Shra genzel Breadcrumbs
Wordpress
Wordpress wordpress
Vendors & Products Shra
Shra genzel Breadcrumbs
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Genzel breadcrumbs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the _options_page function. This makes it possible for unauthenticated attackers to update the plugin's breadcrumb configuration, including templates, delimiter, home label, home URI, and breadcrumb rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Genzel breadcrumbs <= 1.2 - Cross-Site Request Forgery to Settings Update via Plugin Settings Page
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Shra Genzel Breadcrumbs
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:32:12.997Z

Reserved: 2026-05-15T19:43:35.694Z

Link: CVE-2026-8708

cve-icon Vulnrichment

Updated: 2026-05-27T10:32:08.399Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:14.807

Modified: 2026-05-27T07:16:14.807

Link: CVE-2026-8708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:06:53Z

Weaknesses