{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6396", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-15T20:16:25.894Z", "datePublished": "2026-04-22T07:45:34.325Z", "dateUpdated": "2026-04-22T07:45:34.325Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:34.325Z"}, "affected": [{"vendor": "webarea", "product": "Fast & Fancy Filter \u2013 3F", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Fast & Fancy Filter \u2013 3F plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce verification in the saveFields() function, which handles the fff_save_settins AJAX action. This makes it possible for unauthenticated attackers to modify plugin filter settings, update arbitrary options, or create new filter posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Fast & Fancy Filter \u2013 3F <= 1.2.2 - Cross-Site Request Forgery to Settings Modification via fff_save_settins AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4b5fbf2c-1231-482f-b5a5-819f31da3524?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/fast-fancy-filter-3f/trunk/includes/admin/class-admin.php#L419"}, {"url": "https://plugins.trac.wordpress.org/browser/fast-fancy-filter-3f/tags/1.2.2/includes/admin/class-admin.php#L419"}, {"url": "https://plugins.trac.wordpress.org/browser/fast-fancy-filter-3f/trunk/includes/admin/class-admin.php#L24"}, {"url": "https://plugins.trac.wordpress.org/browser/fast-fancy-filter-3f/tags/1.2.2/includes/admin/class-admin.php#L24"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-04-21T19:03:01.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Fast & Fancy Filter \u2013 3F plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce verification in the saveFields() function, which handles the fff_save_settins AJAX action. This makes it possible for unauthenticated attackers to modify plugin filter settings, update arbitrary options, or create new filter posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2026-6396", "lastModified": "2026-04-22T09:16:26.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:26.810", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fast-fancy-filter-3f/tags/1.2.2/includes/admin/class-admin.php#L24"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fast-fancy-filter-3f/tags/1.2.2/includes/admin/class-admin.php#L419"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fast-fancy-filter-3f/trunk/includes/admin/class-admin.php#L24"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fast-fancy-filter-3f/trunk/includes/admin/class-admin.php#L419"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4b5fbf2c-1231-482f-b5a5-819f31da3524?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T10:06:01.704087+00:00", "value": {"mitigation_remediation": ["Upgrade Fast & Fancy Filter \u2013 3F to the latest version that implements nonce verification for the fff_save_settins AJAX action.", "If a patch is not available, disable the fff_save_settins action by removing or commenting out the corresponding handler in the plugin\u2019s admin class, thereby preventing unauthenticated requests.", "Consider disabling the plugin entirely or restricting its use to trusted administrators until the vulnerability is resolved."], "summary": {"action": "Patch", "impact": "CSRF allowing modification of plugin settings"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the Fast & Fancy Filter \u2013 3F WordPress plugin, specifically versions 1.2.2 and earlier. Users running this plugin on any WordPress installation are susceptible.", "description_and_impact": "Fast & Fancy Filter \u2013 3F is affected by a missing nonce verification in its fff_save_settins AJAX action, enabling Cross\u2011Site Request Forgery. This flaw allows an unauthenticated attacker to alter the plugin\u2019s configuration, update arbitrary options, or create new filter posts, effectively compromising the site\u2019s filtering behavior.", "risk_and_exploitability": "With a CVSS score of 4.3 and no EPSS data, the risk is moderate. The flaw is not listed in CISA KEV. The attack vector is inferred to be a forged URL that triggers the AJAX request while an administrator is logged in. An attacker must lure an admin into clicking a crafted link, after which plugin settings can be changed without further authentication."}}}}, "created": "2026-04-22T10:15:14.509365+00:00", "updated": "2026-04-22T10:15:14.509380+00:00", "vendors": []}