CVE-2026-8909

Vulnerability

The WpMobi plugin for WordPress versions up to and including 0.0.3 is vulnerable to Cross-Site Request Forgery (CSRF) due to insufficient nonce validation in the handleSaveGeneralSettings function. This vulnerability affects the General Settings page of the plugin.

Exploitation

An unauthenticated attacker can exploit this vulnerability by tricking a site administrator into clicking a crafted link or performing an action. This forged request targets the handleSaveGeneralSettings function, allowing the attacker to inject arbitrary web scripts into the administrator's browser via the app_name attribute, even if the value fails validation and is not saved to the database, because the form re-renders with the in-memory value on validation failure [1].

Impact

Successful exploitation allows an attacker to inject arbitrary web scripts into the administrator's browser. This can lead to various client-side attacks, such as session hijacking or phishing, depending on the injected script. The scope of the compromise is limited to the administrator's browser session.

Mitigation

There is no specific mitigation or patched version disclosed in the available references. Users are advised to disable or remove the WpMobi plugin until a fix is available. The plugin has not been listed on the Known Vulnerable Extensions (KEV) list at this time.