CVE-2026-4139
CSRF in mCatFilter WordPress Plugin Allows Settings Modification
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mcatalog | mcatalogfilter | to 0.5.2 (inc) |
| wordfence | mcatfilter | to 0.5.2 (inc) |
| mcatalog | mcafilter | to 0.5.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to modify plugin settings via forged POST requests without any CSRF token validation. This could lead to unauthorized changes in website behavior and data handling.
However, there is no specific information provided about the direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
The mCatFilter plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 0.5.2. This happens because the plugin's compute_post() function, which updates settings, does not verify nonces or check user capabilities. The function processes POST data on every page load without validating CSRF tokens, allowing attackers to trick site administrators into unknowingly modifying plugin settings through forged requests.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to modify all plugin settings by tricking a site administrator into performing an action like clicking a malicious link. The attacker can change category exclusion rules, feed exclusion flags, and tag page exclusion flags, potentially disrupting site behavior or content filtering.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the mCatFilter plugin to a version later than 0.5.2 where nonce verification and capability checks are properly implemented in the compute_post() function.
If an update is not immediately available, consider disabling the plugin until a patch is released or applying custom code to add nonce verification and capability checks to prevent unauthorized POST requests from modifying plugin settings.
Additionally, educate site administrators to avoid clicking on suspicious links that could trigger forged POST requests.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the mCatFilter WordPress plugin processing POST requests without nonce verification or capability checks, allowing unauthorized modification of plugin settings via forged POST requests.
To detect exploitation attempts on your system or network, you can monitor HTTP POST requests targeting the WordPress site that include parameters related to the mCatFilter plugin settings.
Specifically, look for POST requests to the WordPress site that attempt to update options related to category exclusion rules, feed exclusion flags, or tag page exclusion flags without proper authentication.
Example commands to detect such activity include:
- Using grep on web server logs to find suspicious POST requests: grep -i 'POST' /var/log/apache2/access.log | grep 'mcatfilter'
- Using tcpdump to capture POST requests to the web server: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST'
- Using WP-CLI to check the current plugin settings for unexpected changes: wp option get mcatfilter_settings
Note that these commands require adaptation to your environment and log locations. Monitoring for unexpected changes in plugin settings or unusual POST requests can help detect exploitation attempts.