Description
The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.3. This is due to missing or incorrect nonce validation on the handleSaveGeneralSettings function. This makes it possible for unauthenticated attackers to modify the plugin's General Settings and inject arbitrary web scripts into the administrator's browser via the unescaped app_name attribute reflection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The injected script executes even when the supplied app_name value fails validation and is not persisted to the database, because the form is re-rendered with the attacker-supplied in-memory value on validation failure.
Published: 2026-06-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WpMobi plugin for WordPress is vulnerable to Cross‑Site Request Forgery in all versions up to including 0.0.3. The flaw stems from missing or incorrect nonce validation in the handleSaveGeneralSettings function, allowing an unauthenticated attacker to submit a forged request that changes the plugin’s General Settings. In particular, the attacker can inject arbitrary JavaScript into the administrator’s browser through the insecure app_name attribute that is reflected without proper escaping when validation fails. If the target site’s administrator clicks a malicious link or submits a crafted form, the injected script executes immediately, potentially providing the attacker with persistent access to the admin session. The vulnerability is a classic example of CWE‑352, where request integrity is not verified. The impact is limited to modifying plugin settings and injecting temporary scripts; the changes are not persisted to the database, but the immediate execution can grant the attacker unauthenticated control over the admin interface during the session. Because the flaw does not require any initial authentication and can be triggered via a simple crafted link, the risk is moderate with a CVSS score of 4.3. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. Nonetheless, the attack vector of CSRF makes it easy for malicious actors to target any WordPress site running an affected version of WpMobi.

Affected Systems

Affected systems are WordPress sites that run the WpMobi plugin version 0.0.3 or earlier, developed by rahulbhangale. The vulnerability impacts administrators who have access to the General Settings page of the plugin.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, while the lack of an EPSS score and absence from the KEV catalog suggest limited public exploitation at the time of analysis. Nonetheless, the CSRF nature of the flaw allows unauthenticated attackers to craft a link or form that, when clicked by an administrator, modifies settings and injects transient JavaScript into the admin interface—enabling temporary compromise of the admin session without persistence to the database.

Generated by OpenCVE AI on June 9, 2026 at 06:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WpMobi to the latest released version that includes proper nonce validation for the General Settings page
  • If an upgrade cannot be performed immediately, restrict access to the General Settings functionality by removing the associated admin routes or limiting the capability to trusted administrator roles only
  • Implement additional server‑side validation for the app_name field, ensuring that any user‑supplied value is escaped or rejected before rendering to prevent script injection

Generated by OpenCVE AI on June 9, 2026 at 06:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Rahulbhangale
Rahulbhangale wpmobi
Wordpress
Wordpress wordpress
Vendors & Products Rahulbhangale
Rahulbhangale wpmobi
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.3. This is due to missing or incorrect nonce validation on the handleSaveGeneralSettings function. This makes it possible for unauthenticated attackers to modify the plugin's General Settings and inject arbitrary web scripts into the administrator's browser via the unescaped app_name attribute reflection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The injected script executes even when the supplied app_name value fails validation and is not persisted to the database, because the form is re-rendered with the attacker-supplied in-memory value on validation failure.
Title WpMobi <= 0.0.3 - Cross-Site Request Forgery via save_general_settings Action
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Rahulbhangale Wpmobi
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-09T14:55:56.546Z

Reserved: 2026-05-18T21:49:46.336Z

Link: CVE-2026-8909

cve-icon Vulnrichment

Updated: 2026-06-09T14:55:50.171Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T05:16:40.590

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-8909

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:56:08Z

Weaknesses