CVE-2026-8909

Name of the Vulnerable Software and Affected Versions WpMobi versions prior to 0.0.4

Description The WpMobi plugin for WordPress is subject to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a victim into performing actions they did not intend to. This occurs due to missing or incorrect nonce validation in the handleSaveGeneralSettings() function. Unauthenticated attackers can modify the General Settings and inject arbitrary web scripts into the administrator's browser through the unescaped app name attribute reflection via a forged request. The script executes even if the app name value fails validation and is not saved to the database, as the form re-renders using the attacker-supplied in-memory value upon failure.

Recommendations Update to a version later than 0.0.3. As a temporary workaround, restrict access to the handleSaveGeneralSettings() function to minimize the risk of exploitation.