CVE-2026-3332

Name of the Vulnerable Software and Affected Versions Xhanch - My Advanced Settings plugin for WordPress versions up to and including 1.1.2

Description The software is susceptible to Cross-Site Request Forgery due to missing nonce validation in the xms setting() function, specifically within the settings update handler. This allows unauthenticated attackers to modify plugin settings through a forged request if they can trick a site administrator into performing an action. Modifiable settings include the favicon URL and Google Analytics account ID, as well as various WordPress behavior toggles. The favicon url and ga acc id values are output on the front-end without proper escaping, potentially leading to a Cross-Site Request Forgery to Stored Cross-Site Scripting chain.

Recommendations Update Xhanch - My Advanced Settings plugin for WordPress to a version later than 1.1.2.