CVE-2026-8904

Name of the Vulnerable Software and Affected Versions FastPicker versions prior to 1.0.3

Description The FastPicker plugin for WordPress is subject to Cross-Site Request Forgery. This occurs because the settingsPage() function lacks proper nonce validation, which is a unique token used to verify that a request was intentionally sent by the user. This allows unauthenticated attackers to modify plugin settings, such as toggling webhook integration and changing the FastPicker and KDZ API URLs, by tricking a site administrator into clicking a malicious link.

Recommendations Update the plugin to a version later than 1.0.2. As a temporary mitigation, restrict administrative access to the plugin settings page to trusted networks only.