SpirityCVE

The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for unauthenticated attackers to modify plugin configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Whatsiplus	Whatsiplus Scheduled Notification For Woocommerce
Wordpress	Wordpress

No data.

References

Link	Providers
https://www.spirityenterprise.com/pentest
https://www.spirityenterprise.com/managed-detection-response
https://plugins.trac.wordpress.org/browser/whatsiplus-scheduled-notification-for-woocommerce/tags/1.0.1/inc/wsnfw-ajax-request.php#L84
https://plugins.trac.wordpress.org/browser/whatsiplus-scheduled-notification-for-woocommerce/tags/1.0.1/inc/wsnfw-ajax-request.php#L85
https://www.wordfence.com/threat-intel/vulnerabilities/id/e466640e-de66-42f0-b56b-226db32d382d?source=cve

History

Thu, 19 Feb 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Whatsiplus Whatsiplus whatsiplus Scheduled Notification For Woocommerce Wordpress Wordpress wordpress
Vendors & Products		Whatsiplus Whatsiplus whatsiplus Scheduled Notification For Woocommerce Wordpress Wordpress wordpress

Thu, 19 Feb 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for unauthenticated attackers to modify plugin configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title		Whatsiplus Scheduled Notification for Woocommerce <= 1.0.1 - Cross-Site Request Forgery to 'wsnfw_save_users_settings' AJAX Action
Weaknesses		CWE-352
References		https://plugins.trac.wordpress.org/browser/whatsiplus-scheduled-notification-for-woocommerce/tags/1.0.1/inc/wsnfw-ajax-request.php#L84 https://plugins.trac.wordpress.org/browser/whatsiplus-scheduled-notification-for-woocommerce/tags/1.0.1/inc/wsnfw-ajax-request.php#L85 https://www.wordfence.com/threat-intel/vulnerabilities/id/e466640e-de66-42f0-b56b-226db32d382d?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-19T04:36:25.835Z

Updated: 2026-02-19T04:36:25.835Z

Reserved: 2026-01-26T20:12:04.006Z

Link: CVE-2026-1455

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object