CVE-2026-6396

Name of the Vulnerable Software and Affected Versions Fast & Fancy Filter – 3F plugin for WordPress versions prior to 1.2.3

Description Cross-Site Request Forgery occurs due to missing nonce verification in the saveFields() function, which handles the 'fff save settins' AJAX action. This allows unauthenticated attackers to modify plugin filter settings, update arbitrary options, or create new filter posts by tricking a site administrator into clicking a link.

Recommendations Update the plugin to a version later than 1.2.2. As a temporary workaround, restrict access to the saveFields() function until the update is applied.