https://feed.craftedsignal.io/tags/csrf/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 01 May 2026 12:16:16 +0000https://feed.craftedsignal.io/briefs/2024-01-wp-editor-csrf/Fri, 01 May 2026 12:16:16 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-wp-editor-csrf/The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.2.9.2, allowing unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with malicious code by tricking a site administrator into clicking a link.The WP Editor plugin, a WordPress plugin, contains a Cross-Site Request Forgery (CSRF) vulnerability affecting versions up to and including 1.2.9.2. This vulnerability stems from a lack of nonce verification in the ‘add_plugins_page’ and ‘add_themes_page’ functions. An unauthenticated attacker can exploit this vulnerability by crafting a malicious request designed to overwrite arbitrary plugin and theme PHP files with attacker-controlled code. The success of this attack hinges on the attacker’s ability to deceive a site administrator into triggering the forged request, typically by clicking a specially crafted link. This flaw allows for potential arbitrary code execution on the targeted WordPress site.

Attack Chain

1. The attacker identifies a vulnerable WordPress site running a WP Editor plugin version <= 1.2.9.2.
2. The attacker crafts a malicious HTTP request targeting the ‘add_plugins_page’ or ‘add_themes_page’ functions. This request includes parameters designed to overwrite a specific plugin or theme PHP file with attacker-supplied code.
3. The attacker social engineers a WordPress administrator into clicking a malicious link or visiting a compromised website containing the forged request. This could be achieved via phishing emails or other deceptive techniques.
4. If the administrator is logged into the WordPress dashboard, their browser automatically sends the forged request to the vulnerable WordPress site.
5. Due to the missing nonce verification, the WordPress site processes the request without validating its origin.
6. The target plugin or theme PHP file is overwritten with the attacker’s malicious code.
7. The attacker’s code is executed when the plugin or theme is loaded or accessed.
8. The attacker achieves arbitrary code execution on the WordPress server, potentially leading to complete site compromise.

Impact

Successful exploitation of this CSRF vulnerability allows an unauthenticated attacker to inject arbitrary PHP code into a WordPress website. This can lead to a full compromise of the website, including data theft, defacement, or the installation of backdoors for persistent access. Given the widespread use of WordPress and the WP Editor plugin, a large number of websites are potentially at risk. Successful attacks can result in significant reputational damage and financial losses for affected website owners.

Recommendation

• Upgrade the WP Editor plugin to the latest available version, which includes a fix for CVE-2026-3772.
• Implement strong CSRF protection measures on all WordPress forms and administrative functions.
• Deploy the provided Sigma rule to detect attempts to exploit this vulnerability through suspicious requests to the add_plugins_page or add_themes_page endpoints.

]]>highadvisorycsrfwordpresspluginvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-openclaw-csrf/Fri, 24 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-csrf/OpenClaw before 2026.3.31 is vulnerable to cross-site request forgery (CSRF) attacks due to missing browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing attackers to perform unauthorized actions.OpenClaw before version 2026.3.31 is susceptible to Cross-Site Request Forgery (CSRF) attacks. The vulnerability lies in the lack of browser-origin validation within the HTTP operator endpoints when the application operates in trusted-proxy mode. This allows an attacker to craft malicious HTTP requests originating from a user’s browser to perform unauthorized actions within the OpenClaw application. Successful exploitation of this vulnerability enables attackers to execute privileged operations, potentially leading to data modification or unauthorized access to sensitive functionalities. This vulnerability requires the application to be deployed in trusted-proxy mode to be exploitable.

Attack Chain

1. An attacker crafts a malicious HTML page containing a forged HTTP request targeting a vulnerable OpenClaw HTTP operator endpoint.
2. The attacker hosts the malicious HTML page on a website or delivers it through phishing.
3. A victim user, authenticated to the OpenClaw application, visits the malicious HTML page in their browser.
4. The victim’s browser automatically sends the forged HTTP request to the vulnerable OpenClaw endpoint.
5. Because the OpenClaw application lacks proper browser-origin validation, it processes the forged request.
6. The attacker is able to perform unauthorized actions as the authenticated user.
7. The attacker can modify user configurations or exfiltrate data.

Impact

Successful exploitation of this CSRF vulnerability in OpenClaw can lead to unauthorized modification of application settings, data manipulation, or even complete account takeover. While specific victim numbers are unavailable, the impact extends to any organization utilizing OpenClaw in a trusted-proxy deployment scenario. The vulnerability can potentially compromise data integrity and confidentiality, leading to significant operational disruptions.

Recommendation

• Upgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41347.
• Deploy the Sigma rule below to detect suspicious HTTP requests lacking proper origin validation within your web server logs.
• Implement proper CSRF protection mechanisms, such as synchronizer tokens, in OpenClaw’s HTTP operator endpoints.

]]>mediumadvisorycsrfweb-applicationvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-woocommerce-csrf/Wed, 08 Apr 2026 02:16:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-woocommerce-csrf/The Product Feed PRO for WooCommerce WordPress plugin (versions 13.4.6-13.5.2.1) is vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing unauthenticated attackers to perform administrative actions by tricking an administrator into clicking a malicious link.The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin, a WordPress plugin, suffers from a Cross-Site Request Forgery (CSRF) vulnerability. Present in versions 13.4.6 through 13.5.2.1, this flaw allows unauthenticated attackers to execute administrative functions if they can successfully coerce a site administrator into performing an action, such as clicking a specially crafted link. The vulnerability stems from the plugin’s failure to implement proper nonce validation on several AJAX actions, including ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed. This vulnerability poses a significant risk to WooCommerce store owners using the affected plugin.

Attack Chain

1. The attacker crafts a malicious URL containing a request to one of the vulnerable AJAX actions (e.g., ajax_migrate_to_custom_post_type).
2. The attacker distributes the malicious URL via email, social media, or another channel, attempting to trick a WordPress administrator into clicking the link.
3. The administrator, while authenticated to the WordPress admin panel, clicks the malicious link.
4. The administrator’s browser sends the forged request to the WordPress server, including the administrator’s session cookies.
5. Due to the missing or incorrect nonce validation, the WordPress server processes the request as if it were a legitimate action performed by the administrator.
6. Depending on the specific AJAX action targeted, the attacker can trigger feed migration, clear custom attribute caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, or delete duplicate feed posts.
7. The attacker repeats this process to perform other administrative actions, gaining control over the plugin’s settings and data.
8. The attacker potentially manipulates product feeds to inject malicious content, redirect users, or compromise the WooCommerce store’s SEO.

Impact

Successful exploitation of this CSRF vulnerability (CVE-2026-3499) could allow an attacker to manipulate a WooCommerce store’s product feeds, potentially leading to data corruption, SEO poisoning, or the injection of malicious content. If successful, attackers could modify product information, redirect users to phishing sites, or damage the store’s reputation. The severity of the impact depends on the targeted AJAX action, but the potential for unauthorized administrative control is significant. Given the wide usage of WooCommerce and the Product Feed PRO plugin, a large number of online stores are potentially at risk.

Recommendation

• Upgrade the Product Feed PRO for WooCommerce plugin to a patched version greater than 13.5.2.1 to remediate CVE-2026-3499.
• Deploy the provided Sigma rules to your SIEM to detect exploitation attempts targeting the vulnerable AJAX actions.
• Implement web application firewall (WAF) rules to block requests to the vulnerable AJAX endpoints originating from suspicious referrers.
• Educate WordPress administrators on the risks of CSRF attacks and the importance of verifying links before clicking them.

]]>highadvisorywordpresswoocommercecsrfcve-2026-3499https://feed.craftedsignal.io/briefs/2026-04-wordpress-csrf/Tue, 07 Apr 2026 09:16:21 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-wordpress-csrf/A cross-site request forgery (CSRF) vulnerability exists in the Analytify Under Construction, Coming Soon & Maintenance Mode WordPress plugin (versions n/a through 2.1.1), potentially allowing attackers to execute unauthorized actions on behalf of legitimate users.A cross-site request forgery (CSRF) vulnerability, identified as CVE-2026-34896, affects the Analytify Under Construction, Coming Soon & Maintenance Mode WordPress plugin. This vulnerability allows an attacker to trick a user into performing actions they did not intend to, such as modifying plugin settings or performing administrative tasks, provided the targeted user is authenticated to the WordPress site. The vulnerability exists in versions from n/a through 2.1.1. The vulnerability was reported to affect a publicly available plugin, increasing the scope of potentially impacted websites. Successful exploitation could lead to arbitrary code execution depending on the privileges of the targeted user and plugin functionality that can be abused.

Attack Chain

1. An attacker identifies a vulnerable WordPress site running the affected plugin.
2. The attacker crafts a malicious HTML page containing a CSRF exploit. This page contains a crafted HTTP request designed to trigger a specific action within the plugin (e.g., changing settings) when submitted by an authenticated user.
3. The attacker distributes the malicious HTML page via email, social media, or other means to a targeted WordPress administrator or user.
4. The targeted user, while logged into the vulnerable WordPress site, visits the malicious HTML page.
5. The user’s browser automatically submits the crafted HTTP request to the WordPress site without the user’s knowledge or consent.
6. The WordPress site, believing the request originated from the authenticated user, processes the request and executes the attacker’s desired action.
7. The attacker’s malicious action, such as changing plugin settings, is successfully performed on the vulnerable WordPress site.
8. Depending on the privileges of the compromised user and vulnerable plugin settings, the attacker may be able to achieve arbitrary code execution, site defacement, or data theft.

Impact

Successful exploitation of this CSRF vulnerability (CVE-2026-34896) in the Analytify Under Construction, Coming Soon & Maintenance Mode WordPress plugin could lead to unauthorized modification of website settings, potentially resulting in site defacement, malware injection, or complete website takeover. The impact depends on the targeted user’s privileges and the plugin’s configurable options. While the exact number of affected websites is unknown, the plugin’s popularity suggests a potentially broad impact across various sectors using WordPress for their online presence.

Recommendation

• Upgrade the Analytify Under Construction, Coming Soon & Maintenance Mode WordPress plugin to a version beyond 2.1.1 to patch CVE-2026-34896.
• Deploy the Sigma rule Detect WordPress Plugin Setting Changes via POST to monitor for unauthorized changes to WordPress plugins.
• Educate WordPress users on the risks of CSRF attacks and the importance of verifying the legitimacy of links and websites before clicking them.

]]>mediumadvisorywordpresscsrfvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-03-gitlab-csrf/Thu, 26 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-gitlab-csrf/CVE-2026-3857 describes a vulnerability in GitLab CE/EE versions 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1, where an unauthenticated user can execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection, potentially leading to data modification or privilege escalation.<p>GitLab has addressed a critical security flaw, identified as CVE-2026-3857, within its Community Edition (CE) and Enterprise Edition (EE). This vulnerability impacts GitLab instances running versions 17.10 up to, but not including, 18.8.7, versions 18.9 up to 18.9.3, and versions 18.10 up to 18.10.1. The core issue lies in insufficient Cross-Site Request Forgery (CSRF) protection when handling GraphQL mutations. An unauthenticated attacker could exploit this by crafting malicious web pages…</p> highadvisorygitlabcsrfcve-2026-3857graphqlhttps://feed.craftedsignal.io/briefs/2024-01-engram-csrf-prompt-injection/Wed, 24 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-engram-csrf-prompt-injection/The engramx HTTP server, enabled by default and binding to 127.0.0.1:7337, is vulnerable to CSRF and prompt injection attacks, allowing a malicious website to exfiltrate the local knowledge graph and inject persistent prompt-injection payloads.The engramx HTTP server, which is enabled by default and listens on 127.0.0.1:7337, is vulnerable to Cross-Site Request Forgery (CSRF) and prompt injection attacks in versions prior to 2.0.2. This vulnerability stems from a combination of a wildcard CORS policy (Access-Control-Allow-Origin: *) and the absence of authentication by default. An attacker could exploit this by enticing a developer to visit a malicious web page, leading to the exfiltration of sensitive data from the local knowledge graph and the injection of malicious payloads. The vulnerability was discovered and responsibly disclosed by @gabiudrescu in engram issue #7. Defenders should prioritize upgrading to version 2.0.2 or implementing the provided workarounds to mitigate the risk of unauthorized access and persistent compromise.

Attack Chain

1. A developer installs a vulnerable version of engramx (>= 1.0.0, < 2.0.2) and the HTTP server starts by default.
2. The server binds to 127.0.0.1:7337 and serves requests without requiring authentication unless ENGRAM_API_TOKEN is explicitly set.
3. A developer visits a malicious website in their browser.
4. The malicious website crafts a cross-origin request to 127.0.0.1:7337 due to the Access-Control-Allow-Origin: * header.
5. A GET request to /query or /stats is sent, exfiltrating the local knowledge graph, including function names, file layout, and recorded decisions/mistakes.
6. A POST request to /learn is sent with a crafted prompt-injection payload, exploiting the lack of Content-Type: application/json enforcement.
7. The injected payload is written as mistake/decision nodes in the knowledge graph.
8. The user’s AI coding agent is persistently reminded of the injected payload on every future session and file edit, leading to compromised code generation and execution.

Impact

Successful exploitation of this vulnerability could lead to the compromise of sensitive developer data, including internal function names, file layouts, and coding decisions, allowing attackers to gain insights into the target’s projects. Furthermore, the injection of persistent prompt-injection payloads can lead to the ongoing corruption of the user’s AI coding agent, potentially causing the generation of flawed or malicious code. While the exact number of affected users is unknown, any developer using a vulnerable version of engramx is susceptible to this attack.

Recommendation

• Upgrade to engramx@2.0.2 or later to apply the remediation measures outlined in the advisory.
• If upgrading is not immediately feasible, do not run engram server or engram ui as a workaround.
• If engram server must be run, set ENGRAM_API_TOKEN to a long random value and terminate the server before browsing the web (as noted in the advisory).
• Deploy the Sigma rule “Detect engramx API access without authentication” to identify potentially unauthorized access attempts to the engramx API.
• Monitor network connections to port 7337 on localhost, filtering for unexpected processes initiating connections.

]]>highadvisorycsrfprompt-injectionengramx