CVE-2026-8939

Vulnerability

The Search Simple Fields plugin for WordPress, versions up to and including 0.2, is vulnerable to Cross-Site Request Forgery (CSRF) due to missing or incorrect nonce validation on the search_simple_fields_options() function in functions_admin.php [1][2]. This function processes and saves plugin settings without verifying the request origin, making the settings update endpoint accessible to forged requests.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link or form that triggers a settings update request. No authentication is required to send the request, but the attacker must trick a site administrator into clicking the link or submitting the form (e.g., via social engineering or embedding in a page). The attacker does not need any prior access or credentials.

Impact

Successful exploitation allows an attacker to modify the plugin's settings, including which post types are searched, custom fields, media fields, and the custom media function name. This could lead to unintended search behavior, exposure of sensitive custom fields, or alteration of the plugin's functionality. The impact is limited to settings changes; no direct code execution is achieved.

Mitigation

As of the publication date (2026-05-27), no patched version has been released. Users should disable the Search Simple Fields plugin until a fix is available. There is no known workaround. The plugin may be abandoned, so consider replacing it with an alternative.