PT-2026-45706 · WordPress · Birdseed

·

CVE-2026-4071

·

Published

2026-06-02

·

Updated

2026-06-11

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions BirdSeed versions prior to 2.2.1
Description The BirdSeed plugin for WordPress is subject to Cross-Site Request Forgery. This occurs because the birdseed plugin settings page() function fails to perform nonce validation—a security mechanism used to ensure that a request was intentionally sent by the user. The function processes the birdseed token GET parameter and saves it to the database using update option() without verification. Consequently, unauthenticated attackers can modify the plugin's BirdSeed token setting by tricking a site administrator into clicking a malicious link.
Recommendations Update to a version later than 2.2.0. As a temporary workaround, restrict administrative access to the plugin settings page to minimize the risk of exploitation.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-4071

Affected Products

Birdseed