Cross-Site Request Forgery Vulnerability in Guardian News Feed Plugin for WordPress
CVE-2026-1087

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: The Guardian News Feed
Vendor: CVE Published:; 7 March 2026

What is CVE-2026-1087?

The Guardian News Feed plugin for WordPress suffers from a Cross-Site Request Forgery vulnerability due to inadequate nonce validation in its settings update process. This security gap allows unauthenticated attackers to alter critical settings of the plugin, including the Guardian API key. They can exploit this flaw by tricking a site administrator into executing a malicious action, such as clicking a link, thereby enabling unauthorized modifications to the plugin's configuration.

Affected Version(s)

The Guardian News Feed 0 <= 1.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/the-guardian-n...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 7, 2026
Vulnerability Reserved
Jan 16, 2026

Credit

Muhammad Nur Ibnu Hubab

CVE-2026-1087 Data

JSON