CVE-2026-4133

Name of the Vulnerable Software and Affected Versions TextP2P Texting Widget versions prior to 1.8

Description The TextP2P Texting Widget plugin for WordPress is susceptible to Cross-Site Request Forgery. This occurs because the imTextP2POptionPage() function, which handles settings updates, lacks nonce validation. Specifically, the form does not include a wp nonce field(), and the POST handler fails to call check admin referer() or wp verify nonce() before processing changes. This allows unauthenticated attackers to update plugin settings, including chat widget titles, messages, API credentials, colors, and reCAPTCHA configuration, by tricking a site administrator into clicking a malicious link.

Recommendations Update the plugin to a version later than 1.7.