WordPress Plugin Vulnerabilities

Set Bulk Post Categories <= 1.1 - Cross-Site Request Forgery to Bulk Post Category Update

Description

The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the bulk category update functionality. This makes it possible for unauthenticated attackers to modify post categories in bulk via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
set-bulk-post-categories
No known fix

References

CVE
CVE-2026-1081
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9503f908-ead2-4c34-89b9-1e2348b90f3c

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Muhammad Nur Ibnu Hubab (Ibnu)
Verified
No
WPVDB ID
3fcfd0d3-831d-4165-b8cf-75f159dbceda

Timeline

Publicly Published
2026-01-23 (about 2 months ago)
Added
2026-01-23 (about 2 months ago)
Last Updated
2026-01-24 (about 2 months ago)

Other

Published
Title
Published
2025-11-30
Title
Trade Runner <= 3.14 - Cross-Site Request Forgery
Published
2025-11-25
Title
Quick Contact Form < 8.2.6 - Cross-Site Request Forgery
Published
2025-04-01
Title
DN Footer Contacts <= 1.8 - Cross-Site Request Forgery
Published
2024-10-31
Title
Alphabetical List <= 1.0.3 - Settings Update via CSRF
Published
2026-01-13
Title
WPBlogSyn <= 1.0 - Cross-Site Request Forgery to Arbitrary Remote Sync Configuration Update