Attack Vectors
WP Plugin Info Card (slug: wp-plugin-info-card) versions 6.2.0 and below are affected by a medium-severity Cross-Site Request Forgery (CSRF) issue (CVE: CVE-2026-2023, CVSS 4.3).
The most likely attack path is social engineering: an attacker persuades a site administrator to click a link or interact with a web page that silently sends a forged request to the WordPress site. Because the request is made in the context of the administrator’s active session, it can be processed as if the admin intended it.
In this case, the forged request can lead to the creation or modification of custom plugin entries inside WP Plugin Info Card. The attacker does not need to authenticate directly, but they do need a successful “trick” that causes an administrator to trigger the request while logged in.
Security Weakness
The vulnerability exists because the plugin’s request verification is not properly enforced. Specifically, nonce validation is missing in the ajax_save_custom_plugin() function, and the intended check is effectively disabled by being prefixed with 'false &&'. This prevents the protection from running.
CSRF weaknesses matter to business stakeholders because they bypass intent: actions can occur under an authorized user’s session even when that user did not approve the change. That makes normal user access controls less reliable as a safeguard.
Severity is rated Medium (CVSS 4.3, vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), reflecting that user interaction is required, but the attack can still lead to unauthorized changes.
Technical or Business Impacts
Content and brand integrity risk: Unauthorized creation or modification of custom plugin entries can cause inaccurate or misleading information to appear on your website. For marketing and brand teams, even small unauthorized changes can undermine credibility and conversion performance.
Governance and compliance risk: If your organization relies on documented approval flows for website changes, CSRF undermines those controls because modifications can occur without a traceable, intentional action by the right approver. This can create audit and policy exceptions for compliance teams.
Operational risk: Time is lost investigating “mystery” changes, validating what was altered, and restoring intended content. This can delay campaigns, disrupt reporting accuracy, and add unplanned work for IT and web teams.
Recommended action: Update WP Plugin Info Card to 6.3.0 or a newer patched version to remediate this issue, per the vendor guidance. Source: Wordfence vulnerability record.
Similar Attacks
CSRF is a common web application weakness that has impacted widely used platforms and plugins over time. The examples below illustrate how real-world CSRF issues can lead to unauthorized actions when an authenticated user is tricked into initiating a request:
WordPress core CSRF issue (CVE-2015-0230)
WordPress-related vulnerability record (CVE-2018-6389)
CISA security alerts and advisories (reference for web exploitation patterns)
Recent Comments