Cross-Site Request Forgery Vulnerability in TextP2P Texting Widget for WordPress
CVE-2026-4133

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Textp2p Texting Widget
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-4133?

The TextP2P Texting Widget plugin for WordPress contains a vulnerability that allows unauthenticated attackers to exploit Cross-Site Request Forgery (CSRF). This vulnerability arises from insufficient nonce validation within the imTextP2POptionPage() function, which fails to implement necessary security checks for updating plugin settings. Attackers can exploit this flaw to alter critical settings—including chat widget titles, messages, and API credentials—by deceiving a site administrator into initiating a malicious request. This highlights the necessity for implementing robust security measures in WordPress plugins to safeguard against unauthorized access.

Affected Version(s)

TextP2P Texting Widget 0 <= 1.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/textp2p-textin...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Mar 13, 2026

Credit

Muhammad Afnaan

CVE-2026-4133 Data

JSON