{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4143", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T15:43:59.960Z", "datePublished": "2026-03-21T03:27:08.068Z", "dateUpdated": "2026-04-08T17:26:29.908Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:29.908Z"}, "affected": [{"vendor": "neo2oo5", "product": "Neos Connector for Fakturama", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.0.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncff_add_plugin_page() function which handles settings updates. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."}], "title": "Neos Connector for Fakturama <= 0.0.14 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d6ffc8de-e8e4-41b6-a4b9-79511fb950fc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/neos-connector-for-fakturama/trunk/neosconnectorforfakturama-admin.php#L231"}, {"url": "https://plugins.trac.wordpress.org/browser/neos-connector-for-fakturama/tags/0.0.14/neosconnectorforfakturama-admin.php#L231"}, {"url": "https://plugins.trac.wordpress.org/browser/neos-connector-for-fakturama/trunk/neosconnectorforfakturama-admin.php#L223"}, {"url": "https://plugins.trac.wordpress.org/browser/neos-connector-for-fakturama/tags/0.0.14/neosconnectorforfakturama-admin.php#L223"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2026-03-20T15:07:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:56:07.635263Z", "id": "CVE-2026-4143", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:57:26.129Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4143", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:56:07.635263Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:56:13.605Z"}}], "cna": {"title": "Neos Connector for Fakturama <= 0.0.14 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "neo2oo5", "product": "Neos Connector for Fakturama", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.0.14"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:07:46.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d6ffc8de-e8e4-41b6-a4b9-79511fb950fc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/neos-connector-for-fakturama/trunk/neosconnectorforfakturama-admin.php#L231"}, {"url": "https://plugins.trac.wordpress.org/browser/neos-connector-for-fakturama/tags/0.0.14/neosconnectorforfakturama-admin.php#L231"}, {"url": "https://plugins.trac.wordpress.org/browser/neos-connector-for-fakturama/trunk/neosconnectorforfakturama-admin.php#L223"}, {"url": "https://plugins.trac.wordpress.org/browser/neos-connector-for-fakturama/tags/0.0.14/neosconnectorforfakturama-admin.php#L223"}], "descriptions": [{"lang": "en", "value": "The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncff_add_plugin_page() function which handles settings updates. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:29.908Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4143", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:26:29.908Z", "dateReserved": "2026-03-13T15:43:59.960Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:27:08.068Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncff_add_plugin_page() function which handles settings updates. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."}, {"lang": "es", "value": "El plugin Neos Connector for Fakturama para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 0.0.14 inclusive. Esto se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n ncff_add_plugin_page() que gestiona las actualizaciones de configuraci\u00f3n. Esto hace posible que atacantes no autenticados modifiquen la configuraci\u00f3n del plugin a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-4143", "lastModified": "2026-04-24T16:27:44.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:17:42.840", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/neos-connector-for-fakturama/tags/0.0.14/neosconnectorforfakturama-admin.php#L223"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/neos-connector-for-fakturama/tags/0.0.14/neosconnectorforfakturama-admin.php#L231"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/neos-connector-for-fakturama/trunk/neosconnectorforfakturama-admin.php#L223"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/neos-connector-for-fakturama/trunk/neosconnectorforfakturama-admin.php#L231"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d6ffc8de-e8e4-41b6-a4b9-79511fb950fc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.0.14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Neos Connector for Fakturama", "source": "cna", "vendor": "neo2oo5"}, "product": "neos_connector_for_fakturama", "vendor": "neo2oo5"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T07:11:06.155803+00:00", "value": {"mitigation_remediation": ["Update Neos Connector for Fakturama to a version newer than 0.0.14. ", "Verify that the plugin\u2019s settings update routine contains proper nonce validation, and modify the code if necessary. ", "If an update cannot be applied immediately, temporarily disable the plugin settings edit capability or restrict access to administrators. ", "Ensure that the broader WordPress installation and all other plugins are up to date."], "summary": {"action": "Patch immediately", "impact": "Unauthenticated Cross\u2011Site Request Forgery that allows modification of plugin settings"}, "threat_synthesis": {"affected_systems": "All installations of the Neos Connector for Fakturama WordPress plugin with version 0.0.14 or earlier. The affected component is the plugin\u2019s admin interface that handles settings updates. The vendor is neo2oo5, product Neos Connector for Fakturama. No additional products are listed.", "description_and_impact": "The Neos Connector for Fakturama plugin for WordPress contains a missing nonce check in the ncff_add_plugin_page() routine. This omission enables a Cross\u2011Site Request Forgery attack: an unauthenticated user can convince a site administrator to send a crafted request that updates plugin configuration. Because the plugin settings govern how Fakturama interacts with the WordPress site, an attacker could change operational parameters, potentially exposing the site to further compromise or disrupting business processes. The weakness is a classic CSRF vulnerability (CWE\u2011352).", "risk_and_exploitability": "The CVSS score of 4.3 indicates a low\u2011to\u2011moderate severity. Exploitation requires only that an administrator click a malicious link; the attacker does not need any privileged credentials. No EPSS information is available and the vulnerability is not in the CISA KEV catalog. Given the low effort required once the admin is deceived, the risk for sites that maintain older plugin versions is moderate, especially if they lack additional CSRF protections."}}}}, "created": "2026-03-23T09:49:53.887504+00:00", "updated": "2026-03-25T14:41:33.442091+00:00", "vendors": ["neo2oo5", "neo2oo5$PRODUCT$neos_connector_for_fakturama", "wordpress", "wordpress$PRODUCT$wordpress"]}