CVE-2026-4071
Cross-Site Request Forgery in BirdSeed WordPress Plugin
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| birdseed | plugin | to 2.2.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The BirdSeed plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 2.2.0. This happens because the plugin's birdseed_plugin_settings_page() function does not validate a security nonce when processing the 'birdseed_token' GET parameter. As a result, an attacker can trick a site administrator into clicking a malicious link that changes the BirdSeed token setting without proper authorization.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability exists in all versions of the BirdSeed plugin up to and including 2.2.0 due to missing nonce validation, allowing unauthenticated attackers to change the BirdSeed token setting via forged requests.
Immediate mitigation steps include updating the BirdSeed plugin to a version later than 2.2.0 where the nonce validation issue is fixed.
If an update is not immediately possible, restrict access to the plugin settings page to trusted administrators only and avoid clicking on suspicious links that could trigger forged requests.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to modify the BirdSeed token setting of the plugin by tricking an administrator into performing an action, such as clicking a crafted link. While it does not directly compromise confidentiality or availability, it can lead to unauthorized changes in the plugin's configuration, potentially affecting the integrity of the site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to change the BirdSeed token setting via a forged request by exploiting missing nonce validation. This could potentially lead to unauthorized changes in plugin settings if an administrator is tricked into clicking a malicious link.
However, there is no direct information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.