CVE-2026-2023 Overview
The WP Plugin Info Card plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 6.2.0. This security flaw exists due to missing nonce validation in the ajax_save_custom_plugin() function, where the security check has been intentionally disabled by prefixing it with false &&. This makes it possible for unauthenticated attackers to create or modify custom plugin entries via a forged request, provided they can trick a site administrator into performing an action such as clicking on a malicious link.
Critical Impact
Unauthenticated attackers can manipulate custom plugin entries on WordPress sites by exploiting disabled nonce validation, potentially leading to content manipulation and site integrity compromise.
Affected Products
- WP Plugin Info Card plugin for WordPress versions up to and including 6.2.0
Discovery Timeline
- 2026-02-18 - CVE-2026-2023 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-2023
Vulnerability Analysis
This vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The root cause lies in the improper implementation of nonce validation within the ajax_save_custom_plugin() function located in php/Admin/Init.php. WordPress nonce tokens are designed to protect against CSRF attacks by verifying that requests originate from authenticated users with proper authorization.
In this case, the nonce validation check has been explicitly disabled in the code by prepending the conditional check with false &&, effectively making the security check always evaluate to false and bypass the protection entirely. This architectural oversight allows attackers to craft malicious requests that, when executed by an authenticated administrator, will be processed by the server as legitimate actions.
Root Cause
The vulnerability stems from disabled nonce validation in the ajax_save_custom_plugin() function. The security check that should verify the authenticity of incoming requests has been disabled by modifying the conditional logic with false &&, which causes the nonce verification to never execute. This pattern suggests either a debugging artifact left in production code or an intentional but misguided attempt to disable security controls.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker must craft a malicious HTML page or link containing a forged request targeting the vulnerable AJAX endpoint. When an authenticated WordPress administrator visits the malicious page or clicks the link while logged into the affected WordPress site, the forged request is automatically submitted with the administrator's session credentials.
The vulnerability can be exploited through various social engineering techniques including phishing emails, malicious advertisements, or compromised websites. The attack does not require the attacker to have any authentication credentials on the target WordPress installation.
The vulnerable code is located at line 390 in the Init.php file within the plugin's Admin directory. Technical details can be found in the WordPress Plugin Code Reference and the GitHub Plugin Code Reference.
Detection Methods for CVE-2026-2023
Indicators of Compromise
- Unexpected modifications to custom plugin entries in the WP Plugin Info Card settings
- Access logs showing POST requests to the ajax_save_custom_plugin endpoint from external referrers
- New or modified plugin card entries that administrators did not create
- Suspicious HTTP referrer headers in requests to WordPress AJAX endpoints
Detection Strategies
- Monitor WordPress AJAX requests for ajax_save_custom_plugin actions with unusual or external referrer headers
- Implement Web Application Firewall (WAF) rules to detect and block CSRF attack patterns
- Review server access logs for suspicious patterns of admin-level AJAX requests following visits to external URLs
- Deploy WordPress security plugins that can detect missing nonce validation in plugin code
Monitoring Recommendations
- Enable detailed logging for WordPress AJAX endpoints and administrative actions
- Configure alerts for bulk or unusual modifications to plugin settings
- Implement Content Security Policy (CSP) headers to restrict form submissions to trusted origins
- Monitor for new or modified custom plugin entries that correlate with administrator browsing activity
How to Mitigate CVE-2026-2023
Immediate Actions Required
- Update WP Plugin Info Card plugin to a patched version beyond 6.2.0 immediately
- Review recent changes to custom plugin entries for any unauthorized modifications
- Audit WordPress administrator activity logs for suspicious AJAX requests
- Consider temporarily disabling the WP Plugin Info Card plugin until patched
Patch Information
A fix has been released addressing the CSRF vulnerability. The patch restores proper nonce validation in the ajax_save_custom_plugin() function. Details of the code changes can be reviewed in the WordPress Plugin Changeset. Additional vulnerability information is available in the Wordfence Vulnerability Report.
Workarounds
- Restrict WordPress admin panel access to trusted IP addresses using .htaccess or server configuration
- Implement additional CSRF protection at the web server or WAF level
- Train administrators to avoid clicking links from untrusted sources while logged into WordPress
- Consider using browser extensions that protect against CSRF attacks for administrative sessions
# Example .htaccess configuration to restrict wp-admin access by IP
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-admin
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.100$
RewriteCond %{REMOTE_ADDR} !^10\.0\.0\.50$
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
