CVE-2026-4070

Name of the Vulnerable Software and Affected Versions Alfie – Feed Plugin for WordPress versions prior to 1.2.2

Description Cross-Site Request Forgery occurs due to missing nonce validation in the alfie manage() function, which handles feed deletion through the 'delete' GET parameter. This allows unauthenticated attackers to delete arbitrary plugin feed data from the alfie colindex, alfie producten, alfie reactions, and alfie searchproduct tables by tricking a site administrator into clicking a forged link. Nonce validation is a security mechanism used to ensure that a request was intentionally sent by the user and not forged by a third party.

Recommendations Update to a version newer than 1.2.1. As a temporary workaround, restrict access to the alfie manage() function until the update is applied.