CVE-2026-2023
Received Received - Intake
CSRF Vulnerability in WP Plugin Info Card Allows Admin Actions

Publication date: 2026-02-18

Last updated on: 2026-02-18

Assigner: Wordfence

Description
The WP Plugin Info Card plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0. This is due to missing nonce validation in the ajax_save_custom_plugin() function, which is disabled by prefixing the check with 'false &&'. This makes it possible for unauthenticated attackers to create or modify custom plugin entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2023
EUVD
EUVD-2026-8059
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dlxplugins wp_plugin_info_card to 6.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WP Plugin Info Card plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 6.2.0. This vulnerability arises because the ajax_save_custom_plugin() function does not properly validate a security token called a nonce. Specifically, the nonce check is disabled by prefixing it with 'false &&', effectively bypassing the protection. As a result, an attacker who tricks a site administrator into clicking a malicious link can create or modify custom plugin entries without proper authorization.

Impact Analysis

This vulnerability allows unauthenticated attackers to perform unauthorized actions on the WordPress site by exploiting the administrator's session. Specifically, attackers can create or modify custom plugin entries via forged requests if they can trick an administrator into clicking a malicious link. This can lead to unauthorized changes in the site's plugin configuration, potentially compromising site integrity or enabling further attacks.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves Cross-Site Request Forgery (CSRF) due to missing nonce validation in the ajax_save_custom_plugin() function of the WP Plugin Info Card plugin. Detection involves monitoring for unauthorized or forged AJAX requests attempting to create or modify custom plugin entries.

To detect exploitation attempts on your system, you can monitor HTTP requests to the WordPress admin AJAX endpoint (typically /wp-admin/admin-ajax.php) for suspicious POST requests with the action parameter related to saving custom plugins (e.g., action=ajax_save_custom_plugin) that lack valid nonce tokens.

Suggested commands include using network traffic inspection tools or web server logs to filter such requests. For example, using grep on web server logs to find suspicious AJAX calls:

  • grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'action=ajax_save_custom_plugin'
  • grep 'admin-ajax.php' /var/log/nginx/access.log | grep 'action=ajax_save_custom_plugin'

Additionally, monitoring for POST requests without valid nonce parameters or with known invalid nonce values can help detect attempts to exploit this vulnerability.

Mitigation Strategies

The primary mitigation step is to update the WP Plugin Info Card plugin to a version that includes the security fix which properly implements nonce validation in the ajax_save_custom_plugin() function and related AJAX handlers.

This fix was committed in a changeset on 02/05/2026 that strengthens nonce validation to prevent unauthorized or forged requests, ensuring only legitimate, authenticated users can create or modify custom plugins.

If immediate updating is not possible, consider temporarily disabling the plugin or restricting access to the WordPress admin AJAX endpoint to trusted IP addresses to reduce the risk of exploitation.

Also, educate site administrators to avoid clicking on suspicious links that could trigger forged requests.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2023. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart