cleantalk
Vulnerabilities and Security Researches

Alfie – Feed Plugin, CVE-2026-4070

CVE, Research URL

CVE-2026-4070

Home page URL

Security reports for Alfie – Feed Plugin

Application

Alfie – Feed Plugin

Published on
May 22, 2026
Research Description
The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_manage() function which handles feed deletion via the 'delete' GET parameter. This makes it possible for unauthenticated attackers to delete arbitrary plugin feed data (from alfie_colindex, alfie_producten, alfie_reactions, and alfie_searchproduct tables) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 1.2.1.
Status
vulnerable
Previous vulnerability researches
Infility Global (CVE-2025-15268) , Feb 27, 2026
Infility Global (CVE-2024-12723) , Jan 29, 2025
Infility Global (CVE-2025-68864) , Jan 27, 2026
Infility Global (CVE-2025-68865) , Jan 10, 2026
Infility Global (CVE-2025-12968) , Jan 10, 2026
New vulnerability
Hotel Booking Lite (CVE-2026-8684) , May 24, 2026
Alfie – Feed Plugin (CVE-2026-4070) , May 24, 2026
CBX 5 Star Rating & Review (CVE-2026-6864) , May 24, 2026
KIA Subtitle (CVE-2026-7509) , May 23, 2026
ZeptoMail (CVE-2025-67972) , May 23, 2026