TextP2P Texting Widget <= 1.8 - Cross-Site Request Forgery to Settings Update

2026-04-21 19:07
afnaan

Strategic Overview

Status
Patched in 1.9
Affected PluginTextP2P Texting Widget
Affected Version<= 1.8
CVSS4.3Medium
CVECVE-2026-4133
View all TextP2P Texting Widget vulnerabilities

Vulnerability Overview

The TextP2P Texting Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.8. This is due to missing nonce validation in the imTextP2POptionPage() function which processes settings updates. The form at line 314 does not include a wp_nonce_field(), and the POST handler at line 7 does not call check_admin_referer() or wp_verify_nonce() before processing settings changes. This makes it possible for unauthenticated attackers to update all plugin settings including chat widget titles, messages, API credentials, colors, and reCAPTCHA configuration via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.

Technical Analysis

REMEDIATION: Update to version 1.9, or a newer patched version --- IDENTIFIER: CWE-352 (Cross-Site Request Forgery (CSRF)) The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

External References

Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C

TextP2P Texting Widget <= 1.8 - Cross-Site Request Forgery to Settings Update (CVE-2026-4133)