CVE-2026-1208

MEDIUM

Friendly Functions for Welcart <= 1.2.5 - Cross-Site Request Forgery via Settings Page

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-1208. PoCs published by SnailSploit.

AI-analyzed exploit summary This repository contains a functional CSRF exploit for CVE-2026-1208, targeting the Friendly Functions for Welcart WordPress plugin. The exploit includes Python and Bash scripts to generate and host malicious payloads, demonstrating the vulnerability through forged requests.

Description

The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Exploits (1)

nomisec WORKING POC
by SnailSploit · poc
https://github.com/SnailSploit/CVE-2026-1208

This repository contains a functional CSRF exploit for CVE-2026-1208, targeting the Friendly Functions for Welcart WordPress plugin. The exploit includes Python and Bash scripts to generate and host malicious payloads, demonstrating the vulnerability through forged requests.

Classification
Working Poc 95%
Attack Type
Csrf
Complexity
Trivial
Reliability
Reliable
Target: Friendly Functions for Welcart WordPress Plugin (versions ≤ 1.2.5)
No auth needed
Prerequisites: Target site running vulnerable plugin · Administrator user interaction
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 4.3
EPSS 0.0016
EPSS Percentile 5.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (1)
mainichiweb/Friendly Functions for Welcart < 1.2.5
Published Jan 24, 2026
Tracked Since Feb 18, 2026