CVE-2026-4118
Received Received - Intake
CSRF Vulnerability in WordPress Call To Action Plugin Settings

Publication date: 2026-04-22

Last updated on: 2026-04-22

Assigner: Wordfence

Description
The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cbox_options_page() function which handles saving, creating, and deleting plugin settings. The form rendered on the settings page does not include a wp_nonce_field(), and the save handler does not call wp_verify_nonce() or check_admin_referer() before processing settings updates via $wpdb->update(). This makes it possible for unauthenticated attackers to modify plugin settings such as call-to-action box title, content, link URL, image URL, colors, and other configuration options via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-22
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4118
EUVD
EUVD-2026-24660
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpressthemes call_to_action_plugin to 3.1.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Call To Action Plugin for WordPress is vulnerable to a Cross-Site Request Forgery (CSRF) attack in all versions up to and including 3.1.3. This vulnerability exists because the plugin's settings page does not include proper nonce validation. Specifically, the form on the settings page lacks a wp_nonce_field(), and the save handler does not verify the nonce using wp_verify_nonce() or check_admin_referer() before processing updates. As a result, an attacker can trick a site administrator into performing unintended actions, allowing the attacker to modify plugin settings such as the call-to-action box title, content, link URL, image URL, colors, and other configuration options through a forged request.


How can this vulnerability impact me? :

This vulnerability can allow an unauthenticated attacker to change important plugin settings without the administrator's consent. By tricking an administrator into clicking a malicious link, the attacker can modify the call-to-action box's title, content, URLs, images, colors, and other configurations. This could lead to unauthorized content being displayed on the website, potentially misleading visitors or damaging the site's reputation.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should update the Call To Action Plugin for WordPress to a version later than 3.1.3 where the nonce validation issue is fixed.

If an update is not immediately available, avoid allowing site administrators to click on untrusted links or perform actions that could trigger the vulnerable settings page.

Additionally, consider implementing manual nonce validation in the plugin's cbox_options_page() function by adding wp_nonce_field() in the form and verifying it with wp_verify_nonce() or check_admin_referer() before processing any settings updates.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability affects the Call To Action Plugin for WordPress versions up to and including 3.1.3, due to missing nonce validation in the cbox_options_page() function. Detection involves verifying if the plugin version is vulnerable and checking for the absence of nonce validation in the plugin's settings page.

To detect this vulnerability on your system, you can:

  • Check the installed version of the Call To Action Plugin to see if it is version 3.1.3 or earlier.
  • Review the plugin's source code, specifically the cbox_options_page() function, to confirm the absence of wp_nonce_field() in the form and lack of wp_verify_nonce() or check_admin_referer() calls in the save handler.
  • Monitor HTTP requests to the WordPress admin settings page for the Call To Action Plugin to detect suspicious POST requests that modify plugin settings without valid nonce tokens.

Example commands to check the plugin version and inspect the code on a server with shell access:

  • To check the plugin version, run: grep -i 'Version:' wp-content/plugins/call-to-action-plugin/readme.txt
  • To search for nonce usage in the plugin files, run: grep -r 'wp_nonce' wp-content/plugins/call-to-action-plugin/
  • To monitor HTTP requests, use tools like tcpdump or Wireshark to capture POST requests to the plugin settings URL and analyze if nonce tokens are present.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthenticated attackers to modify plugin settings via Cross-Site Request Forgery, potentially leading to unauthorized changes in website content and configuration.

While the CVE description does not explicitly mention impacts on compliance with standards such as GDPR or HIPAA, unauthorized modification of website settings could indirectly affect compliance by compromising the integrity and security of the website.

For example, if the plugin settings control elements related to user data handling or display, attackers could manipulate these settings to violate privacy or security requirements mandated by such regulations.

However, no direct linkage to compliance violations is provided in the available information.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart