CVE-2026-1081
Unknown Unknown - Not Provided
CSRF in WordPress Set Bulk Post Categories Plugin Allows Unauthorized Category Modification

Publication date: 2026-01-24

Last updated on: 2026-01-24

Assigner: Wordfence

Description
The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the bulk category update functionality. This makes it possible for unauthenticated attackers to modify post categories in bulk via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-24
Last Modified
2026-01-24
Generated
2026-06-16
AI Q&A
2026-01-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1081
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor set_bulk_post_categories to 1.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Set Bulk Post Categories WordPress plugin (up to version 1.1). It occurs because the plugin lacks nonce validation on its bulk category update functionality. This means an attacker can trick an authenticated site administrator into clicking a malicious link, which then causes the administrator's browser to send a forged request that modifies post categories in bulk without their explicit consent.

Impact Analysis

The vulnerability allows an unauthenticated attacker to modify post categories in bulk by tricking a site administrator into performing an action such as clicking a link. This can lead to unauthorized changes in the organization and classification of posts on the WordPress site, potentially disrupting content management and site structure.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious POST requests to the bulk category update functionality of the Set Bulk Post Categories plugin in WordPress. Since the vulnerability involves missing nonce validation, you can look for POST requests to the plugin's admin page that modify post categories without a valid nonce token. Network monitoring tools or web application firewalls (WAF) can be configured to alert on such requests. Specific commands depend on your environment, but for example, using command-line tools like curl to simulate requests or grep to search web server logs for POST requests to the plugin's endpoint may help. However, no exact commands are provided in the resources.

Mitigation Strategies

Immediate mitigation steps include updating the Set Bulk Post Categories plugin to a version that includes nonce validation to prevent CSRF attacks. If an update is not available, restrict access to the plugin's admin page to trusted administrators only, and consider disabling the plugin until a fix is released. Additionally, educating administrators to avoid clicking on suspicious links that could trigger forged requests can help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1081. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart