Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Fast & Fancy Filter - 3F plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce verification in the saveFields() function, which handles the fff_save_settins AJAX action. This makes it possible for unauthenticated attackers to modify plugin filter settings, update arbitrary options, or create new filter posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AnalysisAI
Cross-Site Request Forgery in Fast & Fancy Filter - 3F WordPress plugin up to version 1.2.2 allows unauthenticated attackers to modify plugin filter settings, update arbitrary site options, or create filter posts by tricking site administrators into clicking a malicious link. The vulnerability exists in the saveFields() function which handles the fff_save_settins AJAX action without nonce verification, enabling attackers to forge requests that execute administrative actions on behalf of logged-in administrators.
Technical ContextAI
The Fast & Fancy Filter - 3F plugin registers an AJAX endpoint (fff_save_settins) via WordPress hooks that processes administrative changes to filter configurations. The underlying vulnerability is a classic Cross-Site Request Forgery (CWE-352) stemming from the absence of nonce token validation in the saveFields() function. WordPress nonces are cryptographic tokens that prevent CSRF attacks by validating that state-changing requests originate from legitimate users within the application, not from external malicious sites. Without nonce verification, an attacker can craft a webpage or email containing a forged request that, when visited by an authenticated administrator, causes the WordPress application to execute privileged actions under that administrator's context. The affected CPE indicates the vulnerability impacts all versions of the plugin through and including 1.2.2.
RemediationAI
Upgrade Fast & Fancy Filter - 3F to a version greater than 1.2.2 once a patched release is available from the plugin author. Wordfence and the WordPress plugin repository should be monitored for a security update that adds nonce verification to the saveFields() function and the fff_save_settins AJAX handler. As an immediate compensating control, site administrators should disable the plugin entirely if it is not actively required, or restrict plugin access by implementing strict WordPress user role controls, limiting administrator accounts to trusted personnel only, and educating administrators about phishing and malicious link risks. Alternatively, a Web Application Firewall (WAF) rule blocking POST requests to wp-admin/admin-ajax.php with action=fff_save_settins from external referrers may reduce attack surface, though this may interfere with legitimate administrative workflows if administrators use the plugin from external locations. These controls are temporary; patching is the permanent fix.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24707
GHSA-4922-xr68-xjg8