{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1398", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-23T21:32:03.372Z", "datePublished": "2026-01-28T11:23:42.461Z", "dateUpdated": "2026-04-08T17:33:25.381Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:25.381Z"}, "affected": [{"vendor": "chrisnowak", "product": "Change WP URL", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'change-wp-url' page. This makes it possible for unauthenticated attackers to change the WP Login URL via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Change WP URL <= 1.0 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5dead05-5960-4ccb-89c2-c8bb0cd9c9e9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/change-wp-url/trunk/change-wp-url.php#L18"}, {"url": "https://plugins.trac.wordpress.org/browser/change-wp-url/tags/1.0/change-wp-url.php#L18"}, {"url": "https://plugins.trac.wordpress.org/browser/change-wp-url/trunk/change-wp-url.php#L85"}, {"url": "https://plugins.trac.wordpress.org/browser/change-wp-url/tags/1.0/change-wp-url.php#L85"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-01-27T21:48:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T15:50:24.575988Z", "id": "CVE-2026-1398", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T15:50:37.635Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1398", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T15:50:24.575988Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T15:50:32.409Z"}}], "cna": {"title": "Change WP URL <= 1.0 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "chrisnowak", "product": "Change WP URL", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-27T21:48:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5dead05-5960-4ccb-89c2-c8bb0cd9c9e9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/change-wp-url/trunk/change-wp-url.php#L18"}, {"url": "https://plugins.trac.wordpress.org/browser/change-wp-url/tags/1.0/change-wp-url.php#L18"}, {"url": "https://plugins.trac.wordpress.org/browser/change-wp-url/trunk/change-wp-url.php#L85"}, {"url": "https://plugins.trac.wordpress.org/browser/change-wp-url/tags/1.0/change-wp-url.php#L85"}], "descriptions": [{"lang": "en", "value": "The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'change-wp-url' page. This makes it possible for unauthenticated attackers to change the WP Login URL via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:25.381Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1398", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:33:25.381Z", "dateReserved": "2026-01-23T21:32:03.372Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-28T11:23:42.461Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'change-wp-url' page. This makes it possible for unauthenticated attackers to change the WP Login URL via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Change WP URL para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 1.0, inclusive. Esto se debe a la validaci\u00f3n de nonce ausente o incorrecta en la p\u00e1gina 'change-wp-url'. Esto hace posible que atacantes no autenticados cambien la URL de inicio de sesi\u00f3n de WP a trav\u00e9s de una petici\u00f3n falsificada siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-1398", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-28T12:15:53.180", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/change-wp-url/tags/1.0/change-wp-url.php#L18"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/change-wp-url/tags/1.0/change-wp-url.php#L85"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/change-wp-url/trunk/change-wp-url.php#L18"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/change-wp-url/trunk/change-wp-url.php#L85"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5dead05-5960-4ccb-89c2-c8bb0cd9c9e9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T17:33:04.576841+00:00", "value": {"mitigation_remediation": ["Replace or upgrade the Change WP URL plugin with a release that includes proper nonce validation; if no newer version exists, uninstall the plugin entirely.", "Enable WordPress\u2019s built-in nonce checks on all state\u2011changing requests or install a security plugin that adds CSRF protection to the admin area.", "Educate site administrators to recognize and avoid clicking on suspicious links that prompt them to change site settings, and consider restricting the number of users with the capability to modify core URLs."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery leading to unauthorized change of the WordPress login URL"}, "threat_synthesis": {"affected_systems": "All WordPress sites that have installed the Change WP URL plugin by chrisnowak in versions 1.0 or earlier are vulnerable. No other product or vendor is affected according to the CNA data.", "description_and_impact": "The vulnerability in the Change WP URL plugin arises because the \"change-wp-url\" settings page fails to validate nonce tokens. This flaw allows an unauthenticated attacker to craft a forged request that, if an administrator clicks, will alter the site\u2019s login URL. The result is an uncontrolled change to the core authentication endpoint, which could enable credential harvesting, impersonation attacks, or lock administrators out if the new URL is unknown or incorrect. The weakness is documented as CWE\u2011352.", "risk_and_exploitability": "The CVSS score is 4.3, placing the flaw in the low severity range. The EPSS score of less than 1\u202f% indicates a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker gain the ability to send a crafted link to an administrator, typically through phishing or social engineering. Because the flaw is limited to a plugin setting page and does not involve direct code execution, the overall risk remains modest but still warrants remediation to prevent accidental administrative lock\u2011outs or credential compromise."}}}}, "created": "2026-01-29T09:18:31.265773+00:00", "updated": "2026-04-15T18:00:15.529260+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}