Cross-Site Request Forgery in Welcart Plugin for WordPress
CVE-2026-1208

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Friendly Functions For Welcart
Vendor: CVE Published:; 24 January 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-1208?

The Friendly Functions for Welcart plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) due to inadequate nonce validation on its settings page. This flaw allows unauthenticated attackers to manipulate plugin settings by forging requests, particularly if they can deceive an administrator into performing specific actions, such as clicking on a compromised link. This vulnerability highlights the importance of secure nonce implementations to protect against unauthorized access and modifications.

Affected Version(s)

Friendly Functions for Welcart * <= 1.2.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-1208
Created by SnailSploit

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/friendly-funct...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jan 24, 2026
👾
Exploit known to exist
Jan 24, 2026
Vulnerability published
Jan 24, 2026
Vulnerability Reserved
Jan 19, 2026

Credit

Kai Aizen

JSON