cleantalk
Vulnerabilities and Security Researches

WP Plugin Info Card, CVE-2026-2023

CVE, Research URL

CVE-2026-2023

Home page URL

Security reports for WP Plugin Info Card

Application

WP Plugin Info Card

Published on
Feb 18, 2026
Research Description
The WP Plugin Info Card plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0. This is due to missing nonce validation in the ajax_save_custom_plugin() function, which is disabled by prefixing the check with 'false &&'. This makes it possible for unauthenticated attackers to create or modify custom plugin entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 6.3.0.
Status
vulnerable
Previous vulnerability researches
Social Link Groups (CVE-2024-49619) , Oct 22, 2024
Featured Posts with Multiple Custom Groups (FPMCG) (CVE-2024-48031) , Oct 13, 2024
Featured Posts with Multiple Custom Groups (FPMCG) (CVE-2024-48032) , Oct 13, 2024
RDP inGroups+ (CVE-2025-23546) , Mar 22, 2025
Payment Gateway Groups for WooCommerce (8e7d6f5fc355d02dfe8d709340a3643188c7e5a6) , Jun 07, 2024
New vulnerability
Simple Plyr (CVE-2026-1915) , Apr 16, 2026
Apocalypse Meow (CVE-2026-3523) , Apr 16, 2026
personal-authors-category (CVE-2026-1754) , Apr 16, 2026
UpMenu – Online ordering for restaurants (CVE-2026-1910) , Apr 16, 2026
Employee Directory – Staff Directory and Listing (CVE-2026-1279) , Apr 16, 2026