CVE-2026-8418
Received Received - Intake
Cross-Site Request Forgery in Games Catalog WordPress Plugin

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Wordfence

Description
The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gc_crud() function which handles the delete action (action=delete) via a GET request without any wp_verify_nonce() / check_admin_referer() call. This makes it possible for unauthenticated attackers to delete arbitrary game catalog entries (including the associated WordPress post created for the game) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-05-20
AI Q&A
2026-05-20
EPSS Evaluated
N/A
NVD
CVE-2026-8418
EUVD
EUVD-2026-31014
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_gaming_catalog games_catalog to 1.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

The vulnerability exists because the Games Catalog plugin for WordPress versions up to 1.2.0 does not properly validate nonces in the gc_crud() function, allowing unauthenticated attackers to delete game catalog entries via a forged GET request.

Immediate mitigation steps include updating the Games Catalog plugin to a version later than 1.2.0 where this issue is fixed.

If an update is not immediately available, consider disabling or removing the vulnerable plugin until a patch is applied.

Additionally, educate site administrators to avoid clicking on suspicious links that could trigger the delete action.


Can you explain this vulnerability to me?

The Games Catalog plugin for WordPress versions up to and including 1.2.0 is vulnerable to a Cross-Site Request Forgery (CSRF) attack. This vulnerability arises because the gc_crud() function, which handles the delete action via a GET request, lacks proper nonce validation such as wp_verify_nonce() or check_admin_referer().

As a result, an attacker can trick a site administrator into clicking a malicious link that causes the deletion of arbitrary game catalog entries, including the associated WordPress posts created for those games, without the administrator's explicit consent.


How can this vulnerability impact me? :

This vulnerability allows unauthenticated attackers to delete game catalog entries and their associated WordPress posts by tricking an administrator into performing an action such as clicking a malicious link.

The impact includes loss of data (game catalog entries and posts), potential disruption of website content, and administrative overhead to restore deleted content.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart