cleantalk
Vulnerabilities and Security Researches

Call To Action Plugin, CVE-2026-4118

CVE, Research URL

CVE-2026-4118

Home page URL

Security reports for Call To Action Plugin

Application

Call To Action Plugin

Published on
Apr 22, 2026
Research Description
The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cbox_options_page() function which handles saving, creating, and deleting plugin settings. The form rendered on the settings page does not include a wp_nonce_field(), and the save handler does not call wp_verify_nonce() or check_admin_referer() before processing settings updates via $wpdb->update(). This makes it possible for unauthenticated attackers to modify plugin settings such as call-to-action box title, content, link URL, image URL, colors, and other configuration options via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 3.1.3.
Status
vulnerable
Previous vulnerability researches
Call To Action Plugin (CVE-2026-4118) , Apr 23, 2026
New vulnerability
Emailchef (CVE-2026-1930) , Apr 24, 2026
All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier (CVE-2025-6833) , Apr 24, 2026
WP Responsive Popup + Optin (CVE-2026-4131) , Apr 24, 2026
Portfolio Gallery, Product Catalog – Grid KIT Portfolio (CVE-2025-5092) , Apr 24, 2026
Media Library Assistant (CVE-2025-59590) , Apr 24, 2026