PT-2026-45706 · WordPress · Birdseed
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
BirdSeed versions prior to 2.2.1
Description
The BirdSeed plugin for WordPress is subject to Cross-Site Request Forgery. This occurs because the
birdseed plugin settings page() function fails to perform nonce validation—a security mechanism used to ensure that a request was intentionally sent by the user. The function processes the birdseed token GET parameter and saves it to the database using update option() without verification. Consequently, unauthenticated attackers can modify the plugin's BirdSeed token setting by tricking a site administrator into clicking a malicious link.Recommendations
Update to a version later than 2.2.0.
As a temporary workaround, restrict administrative access to the plugin settings page to minimize the risk of exploitation.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Birdseed