๐Ÿ” CVE Alert

CVE-2026-4139

MEDIUM 4.3

mCatFilter <= 0.5.2 - Cross-Site Request Forgery via compute_post() Function

CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th

The mCatFilter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.5.2. This is due to the complete absence of nonce verification and capability checks in the compute_post() function, which processes settings updates. The compute_post() function is called in the plugin constructor on every page load via the plugins_loaded hook, and it directly processes $_POST data to modify plugin settings via update_option() without any CSRF token validation. This makes it possible for unauthenticated attackers to modify all plugin settings, including category exclusion rules, feed exclusion flags, and tag page exclusion flags, via a forged POST request, granted they can trick a site administrator into performing an action such as clicking a link.

CWE CWE-352
Vendor chsxf
Product mcatfilter
Published Apr 22, 2026
Stay Ahead of the Next One

Get instant alerts for chsxf mcatfilter

Be the first to know when new medium vulnerabilities affecting chsxf mcatfilter are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

chsxf / mCatFilter
0 โ‰ค 0.5.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/622ee6c8-7739-44ae-b88f-63a93c0a9b20?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mcatfilter/trunk/mcatfilter.php#L339 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mcatfilter/tags/0.5.2/mcatfilter.php#L339 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mcatfilter/trunk/mcatfilter.php#L320 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mcatfilter/tags/0.5.2/mcatfilter.php#L320 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mcatfilter/trunk/mcatfilter.php#L138 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mcatfilter/tags/0.5.2/mcatfilter.php#L138

Credits

Muhammad Afnaan