CVE-2026-4070
Description
The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_manage() function which handles feed deletion via the 'delete' GET parameter. This makes it possible for unauthenticated attackers to delete arbitrary plugin feed data (from alfie_colindex, alfie_producten, alfie_reactions, and alfie_searchproduct tables) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Alfie Feed Plugin for WordPress up to 1.2.1 lacks CSRF protection on feed deletion, allowing unauthenticated attackers to delete plugin data via a forged request.
Vulnerability
The Alfie – Feed Plugin for WordPress versions up to and including 1.2.1 is vulnerable to Cross-Site Request Forgery (CSRF). The alfie_manage() function in alfie-manage.php handles feed deletion via the 'delete' GET parameter without proper nonce validation [1][2]. An attacker can exploit this to delete arbitrary feed data from the alfie_colindex, alfie_producten, alfie_reactions, and alfie_searchproduct database tables.
Exploitation
An unauthenticated attacker can craft a malicious link or form that triggers the alfie_manage() function with a 'delete' parameter. The attacker must trick a site administrator into clicking the link or submitting the form while authenticated to WordPress. No further authentication or privileges are required for the attacker beyond social engineering.
Impact
Successful exploitation allows an attacker to delete arbitrary plugin feed data stored in the specified database tables. This can lead to loss of product feed information, disruption of functionality, and potential data integrity issues. The impact is limited to the plugin's data and does not directly affect the core WordPress installation.
Mitigation
The vendor has not released a fixed version as of the publication date. The vulnerability is present in all versions up to 1.2.1. Users should consider disabling the plugin or implementing additional CSRF protection, such as a Web Application Firewall (WAF) rule to block requests lacking a nonce. Alternatively, users can contact the vendor for a patch.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/alfie-the-productfeedtool-wp-plugin/tags/1.2.1/include/alfie-manage.phpnvd
- plugins.trac.wordpress.org/browser/alfie-the-productfeedtool-wp-plugin/tags/1.2.1/include/alfie-manage.phpnvd
- plugins.trac.wordpress.org/browser/alfie-the-productfeedtool-wp-plugin/trunk/include/alfie-manage.phpnvd
- plugins.trac.wordpress.org/browser/alfie-the-productfeedtool-wp-plugin/trunk/include/alfie-manage.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/af36719a-8f7d-46dc-a697-cfcbb08e45e2nvd
News mentions
0No linked articles in our index yet.