CVE-2026-8418
Deferred Deferred - Pending Action
Cross-Site Request Forgery in Games Catalog WordPress Plugin

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Wordfence

Description
The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gc_crud() function which handles the delete action (action=delete) via a GET request without any wp_verify_nonce() / check_admin_referer() call. This makes it possible for unauthenticated attackers to delete arbitrary game catalog entries (including the associated WordPress post created for the game) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-09
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-8418
EUVD
EUVD-2026-31014
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_gaming_catalog games_catalog to 1.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability exists because the Games Catalog plugin for WordPress versions up to 1.2.0 does not properly validate nonces in the gc_crud() function, allowing unauthenticated attackers to delete game catalog entries via a forged GET request.

Immediate mitigation steps include updating the Games Catalog plugin to a version later than 1.2.0 where this issue is fixed.

If an update is not immediately available, consider disabling or removing the vulnerable plugin until a patch is applied.

Additionally, educate site administrators to avoid clicking on suspicious links that could trigger the delete action.

Detection Guidance

This vulnerability involves the Games Catalog plugin for WordPress allowing unauthenticated deletion of game catalog entries via a GET request with action=delete without proper nonce validation.

To detect exploitation attempts on your system or network, you can monitor HTTP GET requests targeting the vulnerable endpoint with the parameter action=delete.

For example, you can use web server access logs or network traffic inspection to search for requests containing "action=delete" related to the Games Catalog plugin.

  • Using grep on web server logs: grep "action=delete" /path/to/access.log
  • Using tcpdump to capture HTTP GET requests containing action=delete: sudo tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep "action=delete"

Additionally, monitoring for unusual deletion of game catalog entries or WordPress posts associated with the plugin may indicate exploitation.

Executive Summary

The Games Catalog plugin for WordPress versions up to and including 1.2.0 is vulnerable to a Cross-Site Request Forgery (CSRF) attack. This vulnerability arises because the gc_crud() function, which handles the delete action via a GET request, lacks proper nonce validation such as wp_verify_nonce() or check_admin_referer().

As a result, an attacker can trick a site administrator into clicking a malicious link that causes the deletion of arbitrary game catalog entries, including the associated WordPress posts created for those games, without the administrator's explicit consent.

Impact Analysis

This vulnerability allows unauthenticated attackers to delete game catalog entries and their associated WordPress posts by tricking an administrator into performing an action such as clicking a malicious link.

The impact includes loss of data (game catalog entries and posts), potential disruption of website content, and administrative overhead to restore deleted content.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8418. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart