CVE-2026-2023 - WP Plugin Info Card <= 6.2.0 - cross-site request forgery to arbitrary custom plu...

CVE ID : CVE-2026-2023 Published : Feb. 18, 2026, 6:16 a.m. | 1 hour, 29 minutes ago Description : The WP Plugin Info Card plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0. This is due to missing nonce validation in the ajax_save_custom_plugin() function, which is disabled by prefixing the check with 'false &&'. This makes it possible for unauthenticated attackers to create or modify custom plugin entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Severity: 4.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...