CVE-2026-8418

Name of the Vulnerable Software and Affected Versions Games Catalog versions prior to 1.2.1

Description The Games Catalog plugin for WordPress is susceptible to Cross-Site Request Forgery, a flaw where an attacker tricks a victim into performing actions they did not intend to. This occurs because the gc crud() function fails to properly validate nonces—unique tokens used to verify that a request is legitimate—when handling the action parameter with the value delete via a GET request. Consequently, unauthenticated attackers can delete arbitrary game catalog entries and their associated WordPress posts by inducing a site administrator to click a malicious link.

Recommendations Update the plugin to a version later than 1.2.0. As a temporary workaround, restrict access to the gc crud() function or avoid using the action parameter with the delete value until the update is applied.