CVE-2026-1081
CSRF in WordPress Set Bulk Post Categories Plugin Allows Unauthorized Category Modification
Publication date: 2026-01-24
Last updated on: 2026-01-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | set_bulk_post_categories | to 1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Set Bulk Post Categories WordPress plugin (up to version 1.1). It occurs because the plugin lacks nonce validation on its bulk category update functionality. This means an attacker can trick an authenticated site administrator into clicking a malicious link, which then causes the administrator's browser to send a forged request that modifies post categories in bulk without their explicit consent.
How can this vulnerability impact me? :
The vulnerability allows an unauthenticated attacker to modify post categories in bulk by tricking a site administrator into performing an action such as clicking a link. This can lead to unauthorized changes in the organization and classification of posts on the WordPress site, potentially disrupting content management and site structure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious POST requests to the bulk category update functionality of the Set Bulk Post Categories plugin in WordPress. Since the vulnerability involves missing nonce validation, you can look for POST requests to the plugin's admin page that modify post categories without a valid nonce token. Network monitoring tools or web application firewalls (WAF) can be configured to alert on such requests. Specific commands depend on your environment, but for example, using command-line tools like curl to simulate requests or grep to search web server logs for POST requests to the plugin's endpoint may help. However, no exact commands are provided in the resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Set Bulk Post Categories plugin to a version that includes nonce validation to prevent CSRF attacks. If an update is not available, restrict access to the plugin's admin page to trusted administrators only, and consider disabling the plugin until a fix is released. Additionally, educating administrators to avoid clicking on suspicious links that could trigger forged requests can help reduce risk.