CVE-2026-4071
Deferred Deferred - Pending Action
Cross-Site Request Forgery in BirdSeed WordPress Plugin

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: Wordfence

Description
The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing nonce validation in the birdseed_plugin_settings_page() function. The function processes the 'birdseed_token' GET parameter and saves it to the database via update_option() without verifying a nonce. This makes it possible for unauthenticated attackers to change the plugin's BirdSeed token setting via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-4071
EUVD
EUVD-2026-33888
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
birdseed plugin to 2.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The BirdSeed plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 2.2.0. This happens because the plugin's birdseed_plugin_settings_page() function does not validate a security nonce when processing the 'birdseed_token' GET parameter. As a result, an attacker can trick a site administrator into clicking a malicious link that changes the BirdSeed token setting without proper authorization.

Impact Analysis

This vulnerability allows an unauthenticated attacker to modify the BirdSeed token setting of the plugin by tricking an administrator into performing an action, such as clicking a crafted link. While it does not directly compromise confidentiality or availability, it can lead to unauthorized changes in the plugin's configuration, potentially affecting the integrity of the site.

Compliance Impact

The vulnerability allows unauthenticated attackers to change the BirdSeed token setting via a forged request by exploiting missing nonce validation. This could potentially lead to unauthorized changes in plugin settings if an administrator is tricked into clicking a malicious link.

However, there is no direct information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The vulnerability exists in all versions of the BirdSeed plugin up to and including 2.2.0 due to missing nonce validation, allowing unauthenticated attackers to change the BirdSeed token setting via forged requests.

Immediate mitigation steps include updating the BirdSeed plugin to a version later than 2.2.0 where the nonce validation issue is fixed.

If an update is not immediately possible, restrict access to the plugin settings page to trusted administrators only and avoid clicking on suspicious links that could trigger forged requests.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4071. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart