{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1455", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-26T20:12:04.006Z", "datePublished": "2026-02-19T04:36:25.835Z", "dateUpdated": "2026-04-08T17:29:37.063Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:37.063Z"}, "affected": [{"vendor": "whatsiplus", "product": "Whatsiplus Scheduled Notification for Woocommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for unauthenticated attackers to modify plugin configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Whatsiplus Scheduled Notification for Woocommerce <= 1.0.1 - Cross-Site Request Forgery to 'wsnfw_save_users_settings' AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e466640e-de66-42f0-b56b-226db32d382d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/whatsiplus-scheduled-notification-for-woocommerce/tags/1.0.1/inc/wsnfw-ajax-request.php#L85"}, {"url": "https://plugins.trac.wordpress.org/browser/whatsiplus-scheduled-notification-for-woocommerce/tags/1.0.1/inc/wsnfw-ajax-request.php#L84"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2026-02-18T15:52:18.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:27:49.457970Z", "id": "CVE-2026-1455", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:28:00.278Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1455", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:27:49.457970Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:27:55.450Z"}}], "cna": {"title": "Whatsiplus Scheduled Notification for Woocommerce <= 1.0.1 - Cross-Site Request Forgery to 'wsnfw_save_users_settings' AJAX Action", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "whatsiplus", "product": "Whatsiplus Scheduled Notification for Woocommerce", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T15:52:18.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e466640e-de66-42f0-b56b-226db32d382d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/whatsiplus-scheduled-notification-for-woocommerce/tags/1.0.1/inc/wsnfw-ajax-request.php#L85"}, {"url": "https://plugins.trac.wordpress.org/browser/whatsiplus-scheduled-notification-for-woocommerce/tags/1.0.1/inc/wsnfw-ajax-request.php#L84"}], "descriptions": [{"lang": "en", "value": "The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for unauthenticated attackers to modify plugin configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-19T04:36:25.835Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1455", "state": "PUBLISHED", "dateUpdated": "2026-02-19T21:28:00.278Z", "dateReserved": "2026-01-26T20:12:04.006Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T04:36:25.835Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for unauthenticated attackers to modify plugin configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Whatsiplus Scheduled Notification for Woocommerce para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 1.0.1, inclusive. Esto se debe a la falta de validaci\u00f3n de nonce en la acci\u00f3n AJAX 'wsnfw_save_users_settings'. Esto hace posible que atacantes no autenticados modifiquen la configuraci\u00f3n del plugin a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n, como hacer clic en un enlace."}], "id": "CVE-2026-1455", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:44.060", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/whatsiplus-scheduled-notification-for-woocommerce/tags/1.0.1/inc/wsnfw-ajax-request.php#L84"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/whatsiplus-scheduled-notification-for-woocommerce/tags/1.0.1/inc/wsnfw-ajax-request.php#L85"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e466640e-de66-42f0-b56b-226db32d382d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Whatsiplus Scheduled Notification for Woocommerce", "source": "cna", "vendor": "whatsiplus"}, "product": "whatsiplus_scheduled_notification_for_woocommerce", "vendor": "whatsiplus"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:09:59.613345+00:00", "value": {"mitigation_remediation": ["Update the Whatsiplus Scheduled Notification for WooCommerce plugin to the latest release that includes CSRF protection.", "If a patch is not yet available, modify the plugin\u2019s wsnfw_save_users_settings AJAX handler to require a valid nonce before processing requests.", "Restrict access to the AJAX endpoint so that only authenticated users with the appropriate capability can invoke it, for example by adding a capability check or using a firewall rule to block unauthenticated requests."], "summary": {"action": "Patch", "impact": "Unauthenticated modification of plugin configuration via CSRF"}, "threat_synthesis": {"affected_systems": "WordPress sites that run the Whatsiplus Scheduled Notification for WooCommerce plugin version 1.0.1 or earlier. Versions newer than 1.0.1 are not affected because the CSRF protection has been added in later releases.", "description_and_impact": "The Whatsiplus Scheduled Notification for WooCommerce plugin contains a Cross\u2011Site Request Forgery flaw caused by the absence of nonce validation on the wsnfw_save_users_settings AJAX action. An attacker who can coerce a logged\u2011in administrator into clicking a crafted link or submitting a forged form can alter the plugin\u2019s configuration settings without authentication. The vulnerability only affects the integrity of the plugin\u2019s settings and does not provide code execution or data exfiltration.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate impact, while the EPSS score of less than 1\u202f% reflects a low likelihood of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires a web\u2011based CSRF attack: the attacker must prompt a legitimate administrator to perform a request while a logged\u2011in session is active. This typically involves social engineering, such as a phishing link or malicious form. Given the moderate severity and low exploitation probability, the risk remains manageable but should be mitigated promptly to prevent potential configuration misuse."}}}}, "created": "2026-02-19T10:06:50.458836+00:00", "updated": "2026-04-15T18:15:10.843985+00:00", "vendors": ["whatsiplus", "whatsiplus$PRODUCT$whatsiplus_scheduled_notification_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}