CVE-2026-2023

The WP Plugin Info Card plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 6.2.0. The root cause is a missing nonce validation in the ajax_save_custom_plugin() function. The code attempts to disable the nonce check by prefixing the validation call with false &&, effectively commenting it out, which leaves the function unprotected [1].

To exploit this vulnerability, an unauthenticated attacker must trick a site administrator into performing an action, such as clicking on a crafted link. The attacker does not need any authentication or special network position, as the forged request can be delivered via email, social media, or other means. The CSRF attack targets the AJAX handler that saves custom plugin entries, which is accessible to any user who can trigger the action [1].

Successful exploitation allows an attacker to create or modify custom plugin entries in the WordPress admin panel. This could lead to the injection of malicious plugin data or the alteration of existing entries, potentially affecting the site's functionality or appearance. The impact is limited to the plugin's custom post type and does not directly lead to remote code execution or privilege escalation [1].

As of the publication date (2026-02-18-2026), the vulnerability has been disclosed but no patch is mentioned. Users are advised to update the plugin to a patched version once available, or to disable the plugin if it is not essential. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at this time.