CVE-2026-1072 Overview
The Keybase.io Verification plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.4.5. The vulnerability exists due to missing nonce validation when updating plugin settings, allowing unauthenticated attackers to manipulate the Keybase verification text through forged requests. Successful exploitation requires social engineering a site administrator into performing an action such as clicking a malicious link.
Critical Impact
Unauthenticated attackers can modify Keybase verification settings on WordPress sites by tricking administrators into clicking malicious links, potentially compromising site identity verification integrity.
Affected Products
- Keybase.io Verification plugin for WordPress versions up to and including 1.4.5
- WordPress installations using the wp-keybase-verification plugin
Discovery Timeline
- 2026-02-18 - CVE-2026-1072 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-1072
Vulnerability Analysis
This Cross-Site Request Forgery vulnerability stems from a fundamental security control failure in the plugin's settings update functionality. The affected code, located in admin/code/write.php at line 51, processes administrative settings changes without verifying the legitimacy of the request source. WordPress provides built-in nonce verification mechanisms specifically to prevent CSRF attacks, but the Keybase.io Verification plugin failed to implement these protections in the vulnerable versions.
When an administrator authenticates to WordPress and visits a page containing a malicious form or script crafted by an attacker, the browser automatically includes the administrator's session cookies with any requests made to the WordPress site. Without nonce validation, the plugin cannot distinguish between legitimate administrative actions and forged requests initiated by attacker-controlled content.
Root Cause
The root cause is the absence of nonce verification in the plugin's settings update handler. WordPress nonces (number used once) are security tokens that validate the origin of form submissions and AJAX requests. The vulnerable code path in write.php processes POST requests to update the Keybase verification text without calling wp_verify_nonce() or check_admin_referer(), leaving the functionality exposed to cross-site request forgery attacks.
Attack Vector
The attack requires network access and user interaction. An attacker must craft a malicious HTML page containing a form that submits to the vulnerable WordPress endpoint. The attacker then needs to trick an authenticated site administrator into visiting this malicious page. When the administrator's browser loads the page, it automatically submits the forged request using the administrator's valid session, causing the plugin settings to be modified without the administrator's knowledge or consent.
The attack could be delivered through phishing emails, malicious advertisements, compromised websites, or any mechanism that causes an administrator to visit an attacker-controlled page while authenticated to their WordPress dashboard.
Detection Methods for CVE-2026-1072
Indicators of Compromise
- Unexpected changes to Keybase verification text in plugin settings
- Unusual referrer headers in web server logs for requests to the plugin's settings endpoint
- Administrator reports of not making configuration changes that appear in the settings
- Audit log entries showing settings modifications without corresponding administrative sessions
Detection Strategies
- Monitor WordPress plugin settings changes through security audit logging plugins
- Implement web application firewall rules to detect CSRF attack patterns targeting WordPress admin endpoints
- Review web server access logs for POST requests to /wp-admin/ paths with external referrers
- Deploy endpoint monitoring to detect administrators accessing suspicious external URLs
Monitoring Recommendations
- Enable WordPress activity logging to track all administrative settings changes
- Configure alerts for plugin configuration modifications outside of normal maintenance windows
- Monitor for unusual traffic patterns targeting WordPress administrative endpoints
- Implement browser security headers like Content-Security-Policy to reduce CSRF attack surface
How to Mitigate CVE-2026-1072
Immediate Actions Required
- Update the Keybase.io Verification plugin to the latest patched version immediately
- Review current plugin settings to verify Keybase verification text has not been tampered with
- Audit WordPress activity logs for any unauthorized configuration changes
- Educate administrators about the risks of clicking unknown links while authenticated to WordPress
Patch Information
A security patch addressing this vulnerability is available through the WordPress plugin repository. The fix implements proper nonce validation for settings update operations. Administrators should update through the WordPress dashboard or by downloading the latest version from the WordPress Plugin Repository. Additional technical details are available in the Wordfence Vulnerability Report.
Workarounds
- Temporarily deactivate the Keybase.io Verification plugin until a patch can be applied
- Implement web application firewall rules to block suspicious POST requests to plugin settings endpoints
- Use browser security extensions that warn administrators before submitting cross-origin forms
- Ensure administrators log out of WordPress before browsing external websites
# Verify current plugin version and check for updates
wp plugin list --name=wp-keybase-verification --fields=name,version,update_version
# Update the plugin to the latest version
wp plugin update wp-keybase-verification
# Alternatively, temporarily deactivate the plugin until patched
wp plugin deactivate wp-keybase-verification
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
