ANALYSIS · 0daeb1b4· FINISHED 2026-01-24 · PATCHDIFF

Folder Analysiscache/friendly-functions-for-welcart_1.2.5 → cache/friendly-functions-for-welcart_1.2.6✓ COMPLETED

Files2

Vulnerable1

True positives1

CVE matched1

1 CVE article ready PatchLeaks generated full security writeups for the matched CVEs · one per CVE, with affected files linked

CVE-2026-1208

FILTERS 0

SEARCH

STATUS

JUDGE

CVE MATCH

EXTENSION

CWE

OPTIONS

Hide “No vulnerability” Hide unjudged

SCOPE

All 2 CVE 1 Vuln 1

SORT

1 files · page 1/1

ffw_function_settings.php

AI: 1 vulnerabilities

CWE-352: Cross-Site Request Forgery (CSRF) CVE-2026-1208 1 TP

#%!d(float64=001)

1–1 of 1

⌖

Select a file from the list to inspect its diff and AI analysis.

↑ ↓ to navigate

CVES 1

CVE-2026-1208

Security writeup for CVE-2026-1208

✓ 1 FILE

## The Exploit

The attacker only needs an authenticated WordPress administrator to load a malicious page.

```bash
curl -i 'https://TARGET/wp-admin/admin.php?page=ffw_function_settings' \
  -H 'Cookie: wordpress_logged_in_XXXXXXXXXXXXXXXXXXXX=admin-session-cookie' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'submit_settings=1'
```

The forged POST lands in `ffw_function_settings.php` and is accepted by the plugin settings handler instead of being blocked with "Security check failed". The attacker can therefore trigger an admin-only settings update without knowing or supplying a valid `_wpnonce`.

Why this still matters at admin

Even though the vulnerable action requires administrator privileges, CSRF is a real threat in WordPress because admin sessions are already authenticated in the browser. A malicious site only needs to make an admin click a link or visit a page, which is a common vector for session hijack, tenant compromise, or rogue staff.

## What the Patch Did

Before
```php
if(isset($_POST['submit_settings'])){
	//Nonceチェック
	if(!check_admin_referer('ffw_settings_nonce')){
        wp_die(__('Security check failed', 'text-domain'));
    }
```

After
```php
//Nonceチェック
if(
	isset($_POST['submit_settings']) &&
	!check_admin_referer('ffw_settings_nonce')
) wp_die(__('Security check failed', 'text-domain'));
```

The patch enforces the WordPress nonce validation earlier in the POST handling flow by combining `isset($_POST['submit_settings'])` with `check_admin_referer('ffw_settings_nonce')`. The security control is the WordPress nonce check API, `check_admin_referer()`.

## Root Cause

This is CWE-352: Cross-Site Request Forgery. The attacker-controlled POST arrives with `submit_settings=1` and reaches the plugin’s settings update path in `ffw_function_settings.php` without a reliable nonce validation barrier before any sensitive processing. The trust boundary is the transition from an arbitrary external web request into admin-only plugin configuration changes; that boundary was not properly protected early enough.

## Why It Works

The single load-bearing line is the nonce guard:

```php
if (isset($_POST['submit_settings']) && !check_admin_referer('ffw_settings_nonce')) wp_die(...);
```

If that check is absent, any forged request with `submit_settings` will proceed into the admin settings logic. The `isset($_POST['submit_settings'])` condition is only there to ensure the nonce is validated for real settings submissions, not for unrelated page loads. The patch moved the check upward so that no POST handling can happen before `check_admin_referer()` is evaluated, closing the window where a CSRF payload could act on an admin request path.

## Hardening Checklist

- Use `check_admin_referer('action_name')` on every admin POST handler that modifies settings.
- Generate nonces in forms with `wp_nonce_field('action_name', '_wpnonce')`.
- Validate user capability with `current_user_can('manage_options')` or another appropriate capability before processing admin POST data.
- Call `wp_die()` or return immediately when nonce validation fails.
- Do not process any POST data before nonce and capability checks.

## References

- https://nvd.nist.gov/vuln/detail/CVE-2026-1208

CVE CVE-2026-1208

PRODUCT Folder Analysis

AFFECTED ≤ cache/friendly-functions-for-welcart_1.2.5

FIXED IN cache/friendly-functions-for-welcart_1.2.6

STATUS Generated

Security writeup · CVE-2026-1208

Source files · 1

ffw_function_settings.php Linked

↗ NVD