Medium severity4.3NVD Advisory· Published Apr 22, 2026· Updated Apr 22, 2026

CVE-2026-6396

Description

The Fast & Fancy Filter – 3F plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce verification in the saveFields() function, which handles the fff_save_settins AJAX action. This makes it possible for unauthenticated attackers to modify plugin filter settings, update arbitrary options, or create new filter posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affected products

WordPress/Fast Fancy Filter 3finferred
Range: <=1.2.2
Package: https://wordpress.org/plugins/fast-fancy-filter-3f
Fast & Fancy Filter – 3F/Fast & Fancy Filter – 3F plugin for WordPressllm-create
Range: <=1.2.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 20, 2026 to April 26, 2026)
Wordfence Blog · Apr 30, 2026

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000