CVE-2026-1208
CSRF Vulnerability in Welcart Plugin Allows Unauthorized Settings Change
Publication date: 2026-01-24
Last updated on: 2026-01-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | friendly_functions_for_welcart | to 1.2.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Friendly Functions for Welcart WordPress plugin versions up to and including 1.2.5. It occurs because the plugin's settings page lacks proper nonce validation, which is a security token used to verify that requests are legitimate. Due to this missing or incorrect nonce validation, an attacker can trick a site administrator into performing an unwanted action, such as clicking a malicious link, which then allows the attacker to update the plugin's settings without authorization. [2]
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to modify the plugin's settings by tricking an administrator into executing a forged request. Such unauthorized changes could affect the behavior of the plugin, potentially disrupting e-commerce functions, altering discounts, redirects, or other settings managed by the plugin. While it does not directly lead to data disclosure or system compromise, it can degrade the integrity of the site configuration and user experience. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WordPress site is running the Friendly Functions for Welcart plugin version 1.2.5 or earlier, which lacks proper nonce validation on the settings page. You can verify the plugin version via the WordPress admin dashboard or by inspecting the plugin files. Additionally, monitoring HTTP POST requests to the plugin's settings page for missing or invalid nonce tokens can help detect exploitation attempts. There are no specific commands provided in the resources, but you can use tools like curl or Burp Suite to inspect POST requests for nonce parameters. For example, a curl command to check the plugin version might be: curl -s https://your-site.com/wp-content/plugins/friendly-functions-for-welcart/readme.txt | grep "Stable tag" [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Friendly Functions for Welcart plugin to version 1.2.6 or later, which includes nonce verification to prevent CSRF attacks. If updating is not immediately possible, restrict access to the WordPress admin settings page to trusted users only and avoid clicking on suspicious links that could trigger forged requests. Implementing web application firewall (WAF) rules to block unauthorized POST requests to the plugin settings page can also help reduce risk. [2]