cleantalk
Vulnerabilities and Security Researches

Alfie – Feed Plugin, CVE-2026-4070

CVE, Research URL

CVE-2026-4070

Home page URL

Security reports for Alfie – Feed Plugin

Application

Alfie – Feed Plugin

Published on
May 22, 2026
Research Description
The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_manage() function which handles feed deletion via the 'delete' GET parameter. This makes it possible for unauthenticated attackers to delete arbitrary plugin feed data (from alfie_colindex, alfie_producten, alfie_reactions, and alfie_searchproduct tables) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 1.2.1.
Status
vulnerable
Previous vulnerability researches
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-24573) , Jan 26, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-1926) , Mar 10, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2024-13427) , May 25, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-4223) , May 25, 2025
Page Builder: Pagelayer – Drag and Drop website builder (CVE-2025-2104) , Mar 14, 2025
New vulnerability
Hotel Booking Lite (CVE-2026-8684) , May 24, 2026
Alfie – Feed Plugin (CVE-2026-4070) , May 24, 2026
CBX 5 Star Rating & Review (CVE-2026-6864) , May 24, 2026
KIA Subtitle (CVE-2026-7509) , May 23, 2026
ZeptoMail (CVE-2025-67972) , May 23, 2026