CVE-2026-8909: CWE-352 Cross-Site Request Forgery (CSRF) in rahulbhangale WpMobi
The WpMobi WordPress plugin up to version 0. 0. 3 is vulnerable to a Cross-Site Request Forgery (CSRF) attack due to missing or incorrect nonce validation in the handleSaveGeneralSettings function. This vulnerability allows an attacker to trick an administrator into submitting a forged request that modifies the plugin's General Settings and injects arbitrary scripts into the administrator's browser via the unescaped app_name attribute. The injected script executes even if the input fails validation and is not saved to the database because the form re-renders with the attacker-supplied value in memory. The CVSS score is 4. 3, indicating a medium severity level. No official patch or remediation guidance is currently available from the vendor or advisory sources.
AI Analysis
Technical Summary
CVE-2026-8909 is a CSRF vulnerability in the WpMobi WordPress plugin (versions up to 0.0.3) caused by missing or incorrect nonce validation on the handleSaveGeneralSettings function. This flaw enables unauthenticated attackers to craft requests that, when executed by an administrator, modify plugin settings and inject arbitrary JavaScript into the admin's browser through the unescaped app_name parameter. The script injection occurs even if the input fails validation and is not persisted, due to the form re-rendering with the attacker-controlled value in memory. This vulnerability does not require privileges and relies on social engineering to trick an admin into performing the action.
Potential Impact
An attacker can exploit this vulnerability to inject arbitrary scripts into an administrator's browser session, potentially leading to limited impact such as interface manipulation or session-based attacks. The vulnerability does not allow direct data confidentiality compromise or denial of service. The CVSS vector indicates no confidentiality or availability impact but a low integrity impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should avoid clicking on untrusted links or performing actions from untrusted sources that could trigger the vulnerable function. Monitoring for updates from the plugin author or WordPress security advisories is recommended.
CVE-2026-8909: CWE-352 Cross-Site Request Forgery (CSRF) in rahulbhangale WpMobi
Description
The WpMobi WordPress plugin up to version 0. 0. 3 is vulnerable to a Cross-Site Request Forgery (CSRF) attack due to missing or incorrect nonce validation in the handleSaveGeneralSettings function. This vulnerability allows an attacker to trick an administrator into submitting a forged request that modifies the plugin's General Settings and injects arbitrary scripts into the administrator's browser via the unescaped app_name attribute. The injected script executes even if the input fails validation and is not saved to the database because the form re-renders with the attacker-supplied value in memory. The CVSS score is 4. 3, indicating a medium severity level. No official patch or remediation guidance is currently available from the vendor or advisory sources.
CVSS v3.1
Score 4.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-8909 is a CSRF vulnerability in the WpMobi WordPress plugin (versions up to 0.0.3) caused by missing or incorrect nonce validation on the handleSaveGeneralSettings function. This flaw enables unauthenticated attackers to craft requests that, when executed by an administrator, modify plugin settings and inject arbitrary JavaScript into the admin's browser through the unescaped app_name parameter. The script injection occurs even if the input fails validation and is not persisted, due to the form re-rendering with the attacker-controlled value in memory. This vulnerability does not require privileges and relies on social engineering to trick an admin into performing the action.
Potential Impact
An attacker can exploit this vulnerability to inject arbitrary scripts into an administrator's browser session, potentially leading to limited impact such as interface manipulation or session-based attacks. The vulnerability does not allow direct data confidentiality compromise or denial of service. The CVSS vector indicates no confidentiality or availability impact but a low integrity impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should avoid clicking on untrusted links or performing actions from untrusted sources that could trigger the vulnerable function. Monitoring for updates from the plugin author or WordPress security advisories is recommended.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-18T21:49:46.336Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a279b3ce29bf47b5035aa17
Added to database: 6/9/2026, 4:49:00 AM
Last enriched: 6/9/2026, 5:05:05 AM
Last updated: 6/9/2026, 7:57:56 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.