CVE-2026-9732: EmergencyWP WordPress Plugin CSRF Vulnerability

CVE-2026-9732 Overview

CVE-2026-9732 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the EmergencyWP – Dead Man's switch & legacy deliverance plugin for WordPress. The flaw exists in all versions up to and including 1.4.2. The vulnerability stems from missing or incorrect nonce validation in the form_settings_ui settings save handler. Unauthenticated attackers can forge requests that, when executed by an authenticated administrator, modify plugin settings. Affected settings include the minimum access role (which alters WordPress role capabilities via add_cap/remove_cap), the data-erasure-on-uninstall flag, life-check timing values, the mandator email address, the confirmation page ID, and date/time formats. The vulnerability is tracked under [CWE-352].

Critical Impact

Successful exploitation allows unauthenticated attackers to modify plugin configuration and WordPress role capabilities by tricking an administrator into clicking a malicious link.

Affected Products

• EmergencyWP – Dead Man's switch & legacy deliverance plugin for WordPress
• All versions up to and including 1.4.2
• WordPress sites with the vulnerable plugin installed and active

Discovery Timeline

• 2026-06-03 - CVE CVE-2026-9732 published to NVD
• 2026-06-04 - Last updated in NVD database

Technical Details for CVE-2026-9732

Vulnerability Analysis

The vulnerability resides in the EmergencyWP plugin's settings save handler. The form_settings_ui function processes administrative form submissions for plugin configuration. Because the handler does not properly validate WordPress nonces, the server accepts state-changing POST requests without confirming user intent.

An attacker who hosts a malicious page can craft a hidden form that submits to the WordPress admin endpoint. When a logged-in administrator visits the attacker-controlled page, the browser submits the forged request with valid authentication cookies. The plugin processes the request as if the administrator submitted it directly.

Impacted settings include role capability mappings, the uninstall data-erasure flag, life-check timer values, the mandator email address, the confirmation page identifier, and date/time format strings. Modifying role capabilities through add_cap and remove_cap calls can alter access boundaries within the WordPress installation.

Root Cause

The root cause is missing or incorrect nonce validation in the procedural include scope of the settings save handler. WordPress provides wp_verify_nonce() and check_admin_referer() to bind form submissions to a specific user session. The EmergencyWP plugin omits or improperly applies these checks, allowing any request bearing valid administrator cookies to succeed.

Attack Vector

Exploitation requires user interaction. The attacker must trick a site administrator into visiting a malicious page or clicking a crafted link while authenticated to WordPress. The attack vector is network-based and does not require attacker authentication. The plugin code paths involved are documented in the WordPress plugin source at the settings_main.php reference (line 17), line 79, and line 217.

The vulnerability manifests in the settings save handler. See the Wordfence Vulnerability Report for additional technical details.

Detection Methods for CVE-2026-9732

Indicators of Compromise

• Unexpected modifications to EmergencyWP plugin settings, particularly changes to the minimum access role or mandator email address.
• WordPress role capability changes initiated through add_cap or remove_cap without a corresponding administrative action in the audit log.
• HTTP POST requests to the EmergencyWP settings endpoint that originate from external referrers.
• Changes to the data-erasure-on-uninstall flag that were not authorized by site operators.

Detection Strategies

• Audit WordPress role and capability assignments on a recurring schedule and alert on unexpected changes.
• Inspect web server access logs for POST requests to plugin settings endpoints with off-site Referer headers.
• Enable WordPress activity logging to capture configuration changes with timestamps and originating user sessions.

Monitoring Recommendations

• Monitor the EmergencyWP configuration values for drift, including the mandator email address and confirmation page ID.
• Track outbound email destinations configured in the plugin to identify attacker-controlled addresses.
• Correlate administrator browser activity with plugin setting changes to identify CSRF-driven modifications.

How to Mitigate CVE-2026-9732

Immediate Actions Required

• Update the EmergencyWP plugin to a version newer than 1.4.2 once the vendor publishes a fix.
• Review current plugin settings and WordPress role capabilities for unauthorized changes.
• Restrict administrator browser sessions to trusted sites and avoid browsing untrusted content while logged into WordPress.

Patch Information

As of the NVD publication date, no fixed version has been listed in the available references. Site operators should monitor the Wordfence Vulnerability Report and the WordPress plugin repository for an updated release that adds proper nonce validation to the form_settings_ui handler.

Workarounds

• Deactivate the EmergencyWP plugin until a patched version is released.
• Deploy a web application firewall rule that blocks POST requests to EmergencyWP settings endpoints lacking a same-origin Referer header.
• Require administrators to use a dedicated browser profile for WordPress administration to reduce cross-origin attack surface.
• Enforce a Content Security Policy and SameSite=Strict cookies on the WordPress admin domain to limit cross-site request execution.