The WP Plugin Info Card plugin for WordPress, widely used to display plugin information cards, contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2026-2023. This vulnerability exists in all versions up to and including 6.2.0 due to the deliberate disabling of nonce validation in the ajax_save_custom_plugin() function by prefixing the check with 'false &&', effectively bypassing the security mechanism designed to prevent CSRF attacks. Nonce validation is a critical security control in WordPress to ensure that requests to modify data originate from legitimate users and not from forged requests. Because this validation is missing, an attacker can craft a malicious web page or link that, when visited or clicked by an authenticated site administrator, triggers unauthorized creation or modification of custom plugin entries. The attack does not require the attacker to be authenticated but does require user interaction from an administrator, making social engineering a key component of exploitation. The vulnerability impacts the integrity of plugin data but does not affect confidentiality or availability. The CVSS v3.1 score is 4.3 (medium severity), reflecting the ease of exploitation without authentication but requiring user interaction and limited impact scope. No public exploits are known at this time, but the vulnerability poses a risk to WordPress sites using this plugin, especially those with multiple administrators or high-value configurations.

For European organizations, this vulnerability could lead to unauthorized modifications of WordPress plugin data, potentially undermining the trustworthiness and functionality of websites. While it does not directly compromise sensitive data confidentiality or cause denial of service, altering plugin entries could be leveraged as a foothold for further attacks, including injecting malicious code or misleading site visitors. Organizations relying on WordPress for customer-facing websites, e-commerce, or internal portals may face reputational damage or operational disruptions if attackers exploit this flaw. The requirement for administrator interaction means that phishing or social engineering campaigns targeting European IT staff could increase. Given the widespread use of WordPress across Europe, especially in countries with large digital economies and extensive SME sectors, the risk is non-trivial. The absence of known exploits reduces immediate threat but does not eliminate the risk of future exploitation.

Organizations should monitor for and apply security patches from the plugin vendor as soon as they become available. In the absence of an official patch, administrators can mitigate risk by disabling or restricting access to the ajax_save_custom_plugin() functionality, for example by implementing custom nonce checks or limiting AJAX endpoint access to trusted users only. Deploying a Web Application Firewall (WAF) with CSRF protection rules can help detect and block suspicious requests. Educating administrators about the risks of clicking unknown links and implementing multi-factor authentication (MFA) for WordPress admin accounts can reduce the likelihood of successful social engineering. Regular audits of plugin configurations and logs may help detect unauthorized changes early. Finally, organizations should consider limiting the number of users with administrative privileges to reduce exposure.