CVE-2026-1081 Overview
CVE-2026-1081 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Set Bulk Post Categories plugin for WordPress. The flaw exists in all versions up to and including version 1.1. The plugin's bulk category update functionality omits nonce validation, allowing unauthenticated attackers to forge requests that modify post categories. Exploitation requires tricking an authenticated administrator into clicking a malicious link or visiting an attacker-controlled page. The vulnerability is classified under [CWE-352] (Cross-Site Request Forgery).
Critical Impact
Attackers can modify WordPress post categories in bulk by abusing administrator sessions through forged requests, impacting content integrity on affected sites.
Affected Products
- Set Bulk Post Categories plugin for WordPress — all versions up to and including 1.1
- WordPress sites with the plugin installed and activated
- Administrator accounts with active authenticated sessions
Discovery Timeline
- 2026-01-24 - CVE-2026-1081 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-1081
Vulnerability Analysis
The vulnerability stems from missing nonce validation in the bulk category update handler of the Set Bulk Post Categories plugin. WordPress provides a nonce mechanism (wp_nonce_field and check_admin_referer) to confirm that state-changing requests originate from authenticated administrative pages. The plugin's set-bulk-categories.php file processes category modification requests without verifying this token. As a result, the server accepts any request bearing valid administrator session cookies, regardless of origin.
The EPSS probability is 0.006%, reflecting limited active scanning activity. However, the vulnerability remains exploitable on any unpatched site where an administrator can be lured to an attacker-controlled page.
Root Cause
The root cause is the absence of CSRF token verification in the plugin's bulk update endpoint. The handler at line 36 of set-bulk-categories.php processes POST data and modifies post-category associations without invoking wp_verify_nonce or check_admin_referer. WordPress does not enforce nonce checks automatically; plugin developers must implement them explicitly.
Attack Vector
An attacker hosts a malicious page containing an auto-submitting HTML form or JavaScript request targeting the vulnerable plugin endpoint on the victim's WordPress site. When an authenticated administrator visits the page, the browser includes session cookies with the cross-origin request. The plugin processes the request as legitimate and applies the attacker-specified category changes to posts in bulk. User interaction is required, which limits remote exploitability but does not prevent it in social engineering scenarios.
No verified proof-of-concept code is publicly available. Technical details are documented in the WordPress Plugin Code Browser and the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-1081
Indicators of Compromise
- Unexpected bulk changes to post-category assignments in the WordPress database, particularly the wp_term_relationships table.
- Web server access logs showing POST requests to the plugin's bulk update endpoint with Referer headers pointing to external domains.
- Administrator browsing history containing suspicious external links immediately preceding category changes.
Detection Strategies
- Monitor HTTP requests targeting set-bulk-categories.php and inspect the Referer and Origin headers for mismatches against the site's own domain.
- Audit WordPress activity logs for bulk category modifications performed outside expected administrative workflows.
- Deploy a Web Application Firewall (WAF) rule that flags state-changing POST requests to the plugin endpoint lacking a valid nonce parameter.
Monitoring Recommendations
- Enable WordPress audit logging plugins to record category and taxonomy changes with timestamps and source IPs.
- Alert on administrator account activity originating from unfamiliar IP addresses or coinciding with outbound clicks to untrusted domains.
- Review web server logs for clusters of category-modification requests, especially those preceded by cross-origin navigation.
How to Mitigate CVE-2026-1081
Immediate Actions Required
- Deactivate and remove the Set Bulk Post Categories plugin until a patched version is released by the developer.
- Restrict administrator browsing on the WordPress backend and avoid clicking untrusted links while authenticated.
- Apply a WAF rule blocking POST requests to the plugin endpoint that lack a valid WordPress nonce token.
Patch Information
No patched version of the Set Bulk Post Categories plugin has been published at the time of this writing. Versions 1.1 and earlier remain vulnerable. Site operators should monitor the plugin's WordPress.org page and the Wordfence advisory for fix availability.
Workarounds
- Replace the plugin with an alternative that implements nonce validation on all state-changing actions.
- Enforce SameSite=Strict or SameSite=Lax cookie attributes on WordPress session cookies to reduce CSRF exposure.
- Use a dedicated browser profile or session for WordPress administration to limit exposure to cross-site requests.
- Require administrators to re-authenticate before performing bulk content operations.
# Example: enforce SameSite cookie attribute via WordPress configuration
# Add to wp-config.php
@ini_set('session.cookie_samesite', 'Strict');
@ini_set('session.cookie_secure', '1');
@ini_set('session.cookie_httponly', '1');
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

