CVE-2026-8939

The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the search_simple_fields_options() function in functions_admin.php. This makes it possible for unauthenticated attackers to modify the plugin's settings — including post types to search in, custom fields, media fields and the custom media function name — via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/search-simple-fields/tags/0.2/functions_admin.php#L16
https://plugins.trac.wordpress.org/browser/search-simple-fields/tags/0.2/functions_admin.php#L21
https://www.wordfence.com/threat-intel/vulnerabilities/id/1d7ffc0b-2706-4707-9b8f-edcb418058ca?source=cve

Configurations

No configuration.

History

27 May 2026, 07:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-27 07:16

Updated : 2026-06-17 11:04

NVD link : CVE-2026-8939

Mitre link : CVE-2026-8939

CVE.ORG link : CVE-2026-8939

JSON object : View

Products Affected

No product.

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2026-8939", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-8939", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-27T10:21:21.241388Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "affected": [{"source": "security@wordfence.com", "affectedData": [{"vendor": "simonailie", "product": "Search Simple Fields", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.2"}], "defaultStatus": "unaffected"}]}], "published": "2026-05-27T07:16:18.570", "references": [{"url": "https://plugins.trac.wordpress.org/browser/search-simple-fields/tags/0.2/functions_admin.php#L16", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/search-simple-fields/tags/0.2/functions_admin.php#L21", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d7ffc0b-2706-4707-9b8f-edcb418058ca?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the search_simple_fields_options() function in functions_admin.php. This makes it possible for unauthenticated attackers to modify the plugin's settings \u2014 including post types to search in, custom fields, media fields and the custom media function name \u2014 via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "lastModified": "2026-06-17T11:04:38.060", "sourceIdentifier": "security@wordfence.com"}