CVE-2026-6396
CSRF in Fast & Fancy Filter Plugin Allows Unauthorized Settings Modification
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 3f | fast_and_fancy_filter | to 1.2.2 (inc) |
| fast_and_fancy | filter | to 1.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Fast & Fancy Filter β 3F plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in versions up to and including 1.2.2.
This vulnerability exists because the plugin's saveFields() function, which handles the fff_save_settins AJAX action, lacks nonce verification.
As a result, an attacker who is not authenticated can trick a site administrator into performing an action, such as clicking on a malicious link, which then allows the attacker to modify plugin filter settings, update arbitrary options, or create new filter posts without authorization.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to change plugin settings or create new content on your WordPress site by tricking an administrator into performing an action.
Such unauthorized changes could lead to altered site behavior, potential misuse of site features, or the introduction of unwanted content, which may affect the integrity and reliability of your website.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to modify plugin filter settings, update arbitrary options, or create new filter posts by exploiting a Cross-Site Request Forgery (CSRF) flaw. This could potentially lead to unauthorized changes in website behavior or data handling.
However, there is no specific information provided about how this vulnerability directly impacts compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Fast & Fancy Filter β 3F plugin for WordPress to a version later than 1.2.2 where the nonce verification issue in the saveFields() function is fixed.
Additionally, avoid clicking on suspicious links that could trigger forged requests, and ensure that only trusted administrators have access to the WordPress backend.