CVE-2026-4139

Name of the Vulnerable Software and Affected Versions mCatFilter versions prior to 0.5.3

Description The mCatFilter plugin for WordPress is susceptible to Cross-Site Request Forgery. The compute post() function, which processes settings updates, lacks nonce verification and capability checks. This function is executed on every page load via the plugins loaded hook and processes $ POST data to modify plugin settings through update option() without validating a CSRF token. Consequently, unauthenticated attackers can modify plugin settings, such as category exclusion rules, feed exclusion flags, and tag page exclusion flags, by tricking a site administrator into clicking a malicious link.

Recommendations Update to a version later than 0.5.2. As a temporary workaround, restrict access to the compute post() function or the plugins loaded hook until a patch is applied.