Share
## https://sploitus.com/exploit?id=E46C0A92-5038-5DC2-A9D4-4AB4DB8A7DDD
# CVE-2026-1208: Cross-Site Request Forgery in Friendly Functions for Welcart

[![CVE](https://img.shields.io/badge/CVE-2026--1208-red)](https://vulners.com/cve/CVE-2026-1208)
[![CVSS Score](https://img.shields.io/badge/CVSS-4.3%20Medium-orange)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
[![WordPress Plugin](https://img.shields.io/badge/WordPress-Plugin-blue)](https://wordpress.org/plugins/friendly-functions-for-welcart)
[![CWE-352](https://img.shields.io/badge/CWE--352-CSRF-critical)](https://cwe.mitre.org/data/definitions/352.html)
[![Wordfence](https://img.shields.io/badge/Disclosed-Wordfence-success)](https://www.wordfence.com/)

> **Keywords:** CVE-2026-1208, Friendly Functions for Welcart vulnerability, CSRF, Cross-Site Request Forgery, WordPress security, WordPress plugin vulnerability, CWE-352, Welcart security, settings manipulation, WordPress CVE 2026

## Table of Contents

* [Overview](#overview)
* [Vulnerability Details](#vulnerability-details)
* [Technical Analysis](#technical-details)
* [Attack Vector](#attack-vector)
* [Proof of Concept](#proof-of-concept)
* [Remediation Guide](#remediation)
* [CVSS Metrics](#cvss-v31-metrics)
* [References](#references)
* [Security Contact](#contact)

## Overview

**Friendly Functions for Welcart WordPress Plugin CSRF Vulnerability (CVE-2026-1208)** - Security flaw allowing unauthenticated attackers to modify plugin settings via forged requests.

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Friendly Functions for Welcart plugin that allows unauthenticated attackers to update plugin settings by tricking an administrator into clicking a malicious link.

**Discovered by:** Kai Aizen (SnailSploit)  
**Published:** January 23, 2026  
**CVSS Score:** 4.3 (Medium)  
**CWE:** CWE-352 - Cross-Site Request Forgery (CSRF)  
**Plugin:** Friendly Functions for Welcart  
**Attack Type:** Cross-Site Request Forgery to Settings Update  
**Required Privileges:** None (Unauthenticated Attack + Social Engineering)

## Vulnerability Details

### Description

The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

### Impact

This vulnerability allows unauthenticated attackers to:

* Modify plugin settings without authorization
* Manipulate Welcart e-commerce functionality
* Potentially disrupt store operations
* Chain with other vulnerabilities for escalated attacks

### Affected Versions

* **Vulnerable:** All versions โ‰ค 1.2.5
* **Patched:** Version 1.2.6 and above

### CVSS v3.1 Metrics

```
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
```

| Metric | Value |
| --- | --- |
| Attack Vector | Network (AV:N) |
| Attack Complexity | Low (AC:L) |
| Privileges Required | None (PR:N) |
| User Interaction | Required (UI:R) |
| Scope | Unchanged (S:U) |
| Confidentiality | None (C:N) |
| Integrity | Low (I:L) |
| Availability | None (A:N) |

## Technical Details

The vulnerability exists in the settings page implementation where:

1. The plugin settings form lacks proper nonce validation
2. Settings update requests are processed without verifying request origin
3. No CSRF tokens are generated or validated
4. Administrative actions can be performed via cross-origin requests

### Vulnerable Code Locations

The vulnerability was identified in the following locations:

* `ffw_function_settings.php` - Line 53
* `ffw_function_settings.php` - Line 58

### Attack Vector

The attack requires social engineering to trick an authenticated administrator into visiting a malicious page or clicking a crafted link while logged into their WordPress site.

```
Target: WordPress Admin with Friendly Functions for Welcart installed
Method: Malicious HTML page with auto-submitting form
Trigger: Administrator clicks link or visits attacker-controlled page
```

## Proof of Concept

### CSRF HTML Payload

```html



    CVE-2026-1208 - CSRF PoC


    Loading...
    
        
        
    
    
        document.getElementById('csrf-form').submit();
    


```

> โš ๏ธ **Warning:** This PoC is provided for educational and authorized testing purposes only.

### Testing Steps

1. Set up a WordPress instance with Friendly Functions for Welcart  Installed Plugins** in WordPress admin
2. Locate "Friendly Functions for Welcart"
3. Click **Update Now** to upgrade to version 1.2.6 or later
4. Verify the update was successful
5. Review and confirm your plugin settings are correct

### For Developers

Ensure all settings forms implement proper CSRF protection:

```php
// Example of proper CSRF protection in WordPress
// In your form:
wp_nonce_field('ffw_settings_update', 'ffw_settings_nonce');

// In your form handler:
function process_settings_update() {
    // Verify nonce
    if (!isset($_POST['ffw_settings_nonce']) || 
        !wp_verify_nonce($_POST['ffw_settings_nonce'], 'ffw_settings_update')) {
        wp_die('Security check failed');
    }
    
    // Check capabilities
    if (!current_user_can('manage_options')) {
        wp_die('Unauthorized');
    }
    
    // Process settings update
    // ...
}
```

## Timeline

* **January 23, 2026** - Vulnerability publicly disclosed
* **January 23, 2026** - CVE-2026-1208 assigned
* **Version 1.2.6** - Patch released by plugin vendor

## References

* [Wordfence Intelligence Database Entry](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/friendly-functions-for-welcart/friendly-functions-for-welcart-125-cross-site-request-forgery-to-settings-update)
* [WordPress Plugin Trac - Line 53](https://plugins.trac.wordpress.org/browser/friendly-functions-for-welcart/tags/1.2.5/ffw_function_settings.php#L53)
* [WordPress Plugin Trac - Line 58](https://plugins.trac.wordpress.org/browser/friendly-functions-for-welcart/tags/1.2.5/ffw_function_settings.php#L58)
* [Plugin Changeset (Patch)](https://plugins.trac.wordpress.org/changeset/3445305/)
* [MITRE CVE Entry](https://vulners.com/cve/CVE-2026-1208)

## Credits

**Researcher:**

* **Kai Aizen** - SnailSploit

**Disclosure Process:** Coordinated through Wordfence Bug Bounty Program

## Disclaimer

This information is provided for security research and defensive purposes only. Any exploitation of this vulnerability for malicious purposes is illegal and unethical. Always obtain proper authorization before testing systems you do not own.

## Contact

For questions or additional information about this vulnerability:

* **Email:** [kai@owasp.com](mailto:kai@owasp.com)
* **Website:** [snailsploit.com](https://snailsploit.com)
* **Organization:** SnailSploit Security Research

---

*Last updated: January 23, 2026*