Menu
$
Part of CVE Disclosures →
Medium

CVE-2026-1208

CSRF to Settings Update in Friendly Functions for Welcart

Description

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Friendly Functions for Welcart WordPress plugin. The plugin's settings update functionality lacks proper nonce verification, allowing an attacker to trick an authenticated administrator into unknowingly modifying plugin settings through a crafted request.

Welcart is a popular Japanese e-commerce plugin for WordPress, and the Friendly Functions extension adds supplementary functionality. This CSRF vulnerability could be leveraged to alter e-commerce settings affecting payment processing, shipping, and store configuration.

Technical Details

The vulnerability exists in the plugin's settings handler where administrative actions are processed without validating a WordPress nonce token. This means the server cannot distinguish between a legitimate settings update initiated by the admin and a forged request from an attacker-controlled page.

Attack Vector

The attack requires social engineering — the attacker must convince an authenticated WordPress administrator to visit a malicious page while logged into the target site. The malicious page contains a hidden form that automatically submits a settings update request to the vulnerable endpoint.

Vulnerability Characteristics

  • Authentication: Not required for the attacker (exploits the admin's authenticated session)
  • Attack Complexity: Low — standard CSRF payload construction
  • Privileges Required: None (but requires an admin to be logged in)
  • User Interaction: Required — admin must visit attacker-controlled page

Impact Assessment

Successful exploitation of this vulnerability could lead to:

  • Settings Manipulation: Unauthorized modification of Welcart e-commerce configuration
  • Business Logic Abuse: Potential alteration of payment, shipping, or pricing settings
  • Chained Attacks: Modified settings could enable further exploitation vectors
  • Data Integrity: E-commerce configuration changes could affect transaction processing

The severity is rated Medium (CVSS 4.3) because exploitation requires user interaction (the admin must visit a malicious page) and the direct impact is limited to settings modification.

Proof of Concept

The proof of concept includes:

  1. A crafted HTML page containing an auto-submitting form targeting the vulnerable settings endpoint
  2. A Nuclei template for automated detection
  3. ModSecurity and Nginx WAF rules for mitigation

Full PoC, detection templates, and WAF rules are available in the GitHub repository.

Remediation Steps

For Site Administrators

  • Update immediately to Friendly Functions for Welcart version 1.2.6 or later
  • Review Welcart settings for any unauthorized changes
  • Implement a Web Application Firewall with CSRF protection rules
  • Educate administrators about phishing and social engineering risks

For Plugin Developers

  • Implement WordPress nonce verification on all state-changing actions
  • Use wp_nonce_field() and wp_verify_nonce() for form submissions
  • Apply check_admin_referer() for admin action handlers
  • Follow WordPress Plugin Security best practices for CSRF prevention

Disclosure Timeline

  • 2025-12-05: Vulnerability discovered during WordPress plugin security audit
  • 2025-12-08: Reported through Wordfence Bug Bounty Program
  • 2025-12-20: Vendor notified and vulnerability confirmed
  • 2026-01-15: Patch released in version 1.2.6
  • 2026-01-23: CVE-2026-1208 assigned and publicly disclosed

References

Discovered by: Kai Aizen (SnailSploit)

Related CVEs

CVE-2026-3288 Config Injection in ingress-nginx CVE-2025-12030 IDOR in ACF to REST API CVE-2025-12163 Stored XSS in OmniPress CVE-2025-9776 SQL Injection in CatFolders CVE-2025-11171 Missing Auth in Chartify CVE-2025-11174 Missing Auth in Document Library Lite