Search Simple Fields

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Description

The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the search_simple_fields_options() function in functions_admin.php. This makes it possible for unauthenticated attackers to modify the plugin's settings — including post types to search in, custom fields, media fields and the custom media function name — via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Basic Information

ID CVE-2026-8939

Source Wordfence

Published May 27, 2026 at 05:31

Affected Product

Vendor simonailie

Product Search Simple Fields

Affected Versions simonailie Search Simple Fields 0

CWE Classification

CWE-352

References

{
    "lastseen": "",
    "description": "The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the search_simple_fields_options() function in functions_admin.php. This makes it possible for unauthenticated attackers to modify the plugin's settings \u2014 including post types to search in, custom fields, media fields and the custom media function name \u2014 via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
    "published": "2026-05-27T05:31:20.388Z",
    "modified": "2026-05-27T05:31:20.388Z",
    "type": "cve",
    "title": "Search Simple Fields <= 0.2 - Cross-Site Request Forgery to Plugin Settings Update",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d7ffc0b-2706-4707-9b8f-edcb418058ca?source=cve\nhttps://plugins.trac.wordpress.org/browser/search-simple-fields/tags/0.2/functions_admin.php#L16\nhttps://plugins.trac.wordpress.org/browser/search-simple-fields/tags/0.2/functions_admin.php#L21",
    "id": "CVE-2026-8939",
    "bulletinFamily": "",
    "cwe": [
        "CWE-352"
    ],
    "cvelist": null,
    "sourceData": "simonailie Search Simple Fields 0",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Search Simple Fields",
    "version": "0",
    "vendor": "simonailie",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Search Simple Fields <= 0.2 - Cross-Site Request Forgery to Plugin Settings Update_CVE-2026-8939