cleantalk
Vulnerabilities and Security Researches

BirdSeed, CVE-2026-4071

CVE, Research URL

CVE-2026-4071

Home page URL

Security reports for BirdSeed

Application

BirdSeed

Published on
Jun 02, 2026
Research Description
The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing nonce validation in the birdseed_plugin_settings_page() function. The function processes the 'birdseed_token' GET parameter and saves it to the database via update_option() without verifying a nonce. This makes it possible for unauthenticated attackers to change the plugin's BirdSeed token setting via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Affected versions
max 2.2.0.
Status
vulnerable
Previous vulnerability researches
BirdSeed (CVE-2026-4071) , Jun 04, 2026
New vulnerability
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin (CVE-2026-7761) , Jun 25, 2026
Five Star Restaurant Reservations – WordPress Booking Plugin (CVE-2026-54830) , Jun 25, 2026
MapPress Maps for WordPress (CVE-2026-56011) , Jun 25, 2026
WP Photo Album Plus (CVE-2026-54829) , Jun 25, 2026
Infility Global (CVE-2026-7842) , Jun 25, 2026