CVE-2026-8939
Cross-Site Request Forgery in Search Simple Fields WordPress Plugin
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| search_simple_fields | plugin | to 0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Search Simple Fields plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in versions up to and including 0.2. This occurs because the plugin's function search_simple_fields_options() in functions_admin.php lacks proper nonce validation. As a result, an attacker can trick a site administrator into performing unintended actions, such as modifying the plugin's settings, by sending a forged request.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to modify the settings of the Search Simple Fields plugin if they can trick an administrator into clicking a malicious link. The attacker can change settings such as which post types to search, custom fields, media fields, and the custom media function name. This could lead to unauthorized changes in how the plugin behaves on your WordPress site.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this Cross-Site Request Forgery vulnerability in the Search Simple Fields plugin for WordPress, you should update the plugin to a version later than 0.2 where the nonce validation issue is fixed.
Additionally, as a temporary measure, avoid clicking on suspicious links and ensure that only trusted administrators have access to the WordPress admin area.