CVE-2026-2023
CSRF Vulnerability in WP Plugin Info Card Allows Admin Actions
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlxplugins | wp_plugin_info_card | to 6.2.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Plugin Info Card plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 6.2.0. This vulnerability arises because the ajax_save_custom_plugin() function does not properly validate a security token called a nonce. Specifically, the nonce check is disabled by prefixing it with 'false &&', effectively bypassing the protection. As a result, an attacker who tricks a site administrator into clicking a malicious link can create or modify custom plugin entries without proper authorization.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to perform unauthorized actions on the WordPress site by exploiting the administrator's session. Specifically, attackers can create or modify custom plugin entries via forged requests if they can trick an administrator into clicking a malicious link. This can lead to unauthorized changes in the site's plugin configuration, potentially compromising site integrity or enabling further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Cross-Site Request Forgery (CSRF) due to missing nonce validation in the ajax_save_custom_plugin() function of the WP Plugin Info Card plugin. Detection involves monitoring for unauthorized or forged AJAX requests attempting to create or modify custom plugin entries.
To detect exploitation attempts on your system, you can monitor HTTP requests to the WordPress admin AJAX endpoint (typically /wp-admin/admin-ajax.php) for suspicious POST requests with the action parameter related to saving custom plugins (e.g., action=ajax_save_custom_plugin) that lack valid nonce tokens.
Suggested commands include using network traffic inspection tools or web server logs to filter such requests. For example, using grep on web server logs to find suspicious AJAX calls:
- grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'action=ajax_save_custom_plugin'
- grep 'admin-ajax.php' /var/log/nginx/access.log | grep 'action=ajax_save_custom_plugin'
Additionally, monitoring for POST requests without valid nonce parameters or with known invalid nonce values can help detect attempts to exploit this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the WP Plugin Info Card plugin to a version that includes the security fix which properly implements nonce validation in the ajax_save_custom_plugin() function and related AJAX handlers.
This fix was committed in a changeset on 02/05/2026 that strengthens nonce validation to prevent unauthorized or forged requests, ensuring only legitimate, authenticated users can create or modify custom plugins.
If immediate updating is not possible, consider temporarily disabling the plugin or restricting access to the WordPress admin AJAX endpoint to trusted IP addresses to reduce the risk of exploitation.
Also, educate site administrators to avoid clicking on suspicious links that could trigger forged requests.