CVE-2026-2023
CWE-352Published: February 18, 2026· Updated: Feb 18, 2026
Official Description
The WP Plugin Info Card plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0. This is due to missing nonce validation in the ajax_save_custom_plugin() function, which is disabled by prefixing the check with 'false &&'. This makes it possible for unauthenticated attackers to create or modify custom plugin entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Technical Analysis
CVE-2026-2023 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
News & Research Mentioning CVE-2026-2023
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-12569 PTC Windchill and FlexPLM Improper Input Validation Vulnerability CVE-2026-20230 Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk establishes vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies. BOD 26-04 reinforces the importance of the KEV Catalog and requires federal agencies to prioritize rapid remedi [xlite_meta score:51 src:CISA Alerts xlite_fp:123426c67c18958f84ff87916058273a98913b405cb50016f94c861e9fae41a0]
Threat actors have begun to exploit a recently disclosed critical security flaw impacting Cisco Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). The vulnerability, tracked as CVE-2026-20230 (CVSS score: 8.6), is a case of improper input validation for specific HTTP requests that could allow an unauthenticated, remote [xlite_meta score:50 src:The Hacker News xlite_fp:a8c246e57d3cb9203ef5c2a5c6acbb85ca73f795e7125e1a269e5b51a1438955]
Cisco noted that a PoC had been available for CVE-2026-20230 when it announced patches in early June. The post Hackers Exploiting Cisco Unified CM Vulnerability appeared first on SecurityWeek. [xlite_meta score:50 src:SecurityWeek xlite_fp:8940714ad5798e30d3df20b8842501ad82400d3db7c893da594cfdf8473577da]
A high-severity SSRF vulnerability, tracked as CVE-2026-20230, in Cisco Unified Communications Manager Server is now being exploited in attacks. [...] [xlite_meta score:61 src:BleepingComputer xlite_fp:09080507cbd2db2b925f1d7affe2e6b0927d38cb7d125e634f5d813cece82543]
Cisco has patched a bug in Unified Communications Manager that lets an unauthenticated attacker on the network write files to the box and, from there, climb to root. It is tracked as CVE-2026-20230, and proof-of-concept exploit code is already public. Cisco's PSIRT says it has not seen the flaw used in attacks yet. The PoC shortens that runway. The flaw is a server-side request forgery. [xlite_meta score:53 src:The Hacker News xlite_fp:26e66527a2921de9aa271e2b2792d677bf53ecf796a27ba8dbc8c4de8d5b68f1]
All References (5)
Quick Facts
Related CVEs (CWE-352)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-2023 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts