{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2023", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-05T20:40:19.430Z", "datePublished": "2026-02-18T05:29:15.847Z", "dateUpdated": "2026-04-08T16:36:21.792Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:21.792Z"}, "affected": [{"vendor": "brikou", "product": "WP Plugin Info Card", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Plugin Info Card plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0. This is due to missing nonce validation in the ajax_save_custom_plugin() function, which is disabled by prefixing the check with 'false &&'. This makes it possible for unauthenticated attackers to create or modify custom plugin entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "WP Plugin Info Card <= 6.2.0 - Cross-Site Request Forgery to Arbitrary Custom Plugin Entry Creation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1213a21f-a9c1-4da3-99b5-4a5a0673073f?source=cve"}, {"url": "https://github.com/DLXPlugins/wp-plugin-info-card/blob/0fe50d3ccb3d61d5d176fab9e9f280ac8bfd8614/php/Admin/Init.php#L390"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-plugin-info-card/tags/6.2.0/php/Admin/Init.php#L390"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-plugin-info-card/trunk/php/Admin/Init.php#L390"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3454992%40wp-plugin-info-card&new=3454992%40wp-plugin-info-card&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Duong Quang Hao"}], "timeline": [{"time": "2026-02-05T20:55:30.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T17:12:43.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T12:25:24.560207Z", "id": "CVE-2026-2023", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:53:29.827Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2023", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T12:25:24.560207Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:25:25.692Z"}}], "cna": {"title": "WP Plugin Info Card <= 6.2.0 - Cross-Site Request Forgery to Arbitrary Custom Plugin Entry Creation", "credits": [{"lang": "en", "type": "finder", "value": "Duong Quang Hao"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "brikou", "product": "WP Plugin Info Card", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-05T20:55:30.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T17:12:43.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1213a21f-a9c1-4da3-99b5-4a5a0673073f?source=cve"}, {"url": "https://github.com/DLXPlugins/wp-plugin-info-card/blob/0fe50d3ccb3d61d5d176fab9e9f280ac8bfd8614/php/Admin/Init.php#L390"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-plugin-info-card/tags/6.2.0/php/Admin/Init.php#L390"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-plugin-info-card/trunk/php/Admin/Init.php#L390"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3454992%40wp-plugin-info-card&new=3454992%40wp-plugin-info-card&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WP Plugin Info Card plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0. This is due to missing nonce validation in the ajax_save_custom_plugin() function, which is disabled by prefixing the check with 'false &&'. This makes it possible for unauthenticated attackers to create or modify custom plugin entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:21.792Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2023", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:36:21.792Z", "dateReserved": "2026-02-05T20:40:19.430Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T05:29:15.847Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Plugin Info Card plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0. This is due to missing nonce validation in the ajax_save_custom_plugin() function, which is disabled by prefixing the check with 'false &&'. This makes it possible for unauthenticated attackers to create or modify custom plugin entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin WP Plugin Info Card para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 6.2.0, inclusive. Esto se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n ajax_save_custom_plugin(), la cual est\u00e1 deshabilitada al prefijar la comprobaci\u00f3n con 'false &amp;&amp;'. Esto hace posible que atacantes no autenticados creen o modifiquen entradas de plugins personalizadas a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-2023", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T06:16:35.223", "references": [{"source": "security@wordfence.com", "url": "https://github.com/DLXPlugins/wp-plugin-info-card/blob/0fe50d3ccb3d61d5d176fab9e9f280ac8bfd8614/php/Admin/Init.php#L390"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-plugin-info-card/tags/6.2.0/php/Admin/Init.php#L390"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-plugin-info-card/trunk/php/Admin/Init.php#L390"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3454992%40wp-plugin-info-card&new=3454992%40wp-plugin-info-card&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1213a21f-a9c1-4da3-99b5-4a5a0673073f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.2.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Plugin Info Card", "source": "cna", "vendor": "brikou"}, "product": "wp_plugin_info_card", "vendor": "brikou"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:25:43.488756+00:00", "value": {"mitigation_remediation": ["Upgrade WP Plugin Info Card to a version newer than 6.2.0 where the nonce validation is restored.", "If an upgrade is not possible, disable the custom plugin entry feature by removing or commenting out the ajax_save_custom_plugin() check in the Admin/Init.php file.", "As a temporary measure, block the AJAX endpoint for unauthenticated users using server rules such as .htaccess or firewall configurations."], "summary": {"action": "Apply Patch", "impact": "Unauthorized configuration changes via CSRF"}, "threat_synthesis": {"affected_systems": "Affected product: WP Plugin Info Card by brikou. Versions 6.2.0 and earlier are vulnerable. The issue arises in the PHP admin component of the plugin.", "description_and_impact": "The WP Plugin Info Card plugin for WordPress is vulnerable to Cross\u2011Site Request Forgery from missing nonce validation in its ajax_save_custom_plugin() function. An unauthenticated attacker can forge an admin request to create or modify custom plugin entries, inserting arbitrary data that will be displayed to site visitors. This can be used to deface content, embed malicious links, or mislead users, compromising the integrity and trust of the site.", "risk_and_exploitability": "The CVSS score is 4.3 (medium) and the EPSS score is less than 1%, indicating a low likelihood of widespread exploitation. The vulnerability is not listed in the KEV catalog. The attack requires an administrator to be logged in and to click a crafted link; the CSRF nature means that the vulnerability is exploitable via a simple link, so mitigation is straightforward. No known public exploit appears to be available, but the low EPSS does not eliminate risk."}}}}, "created": "2026-02-18T10:32:49.730639+00:00", "updated": "2026-04-15T20:30:13.779912+00:00", "vendors": ["brikou", "brikou$PRODUCT$wp_plugin_info_card", "wordpress", "wordpress$PRODUCT$wordpress"]}