EIP-2026-114189

PRE-CVE

WordPress Plugin WHIZZ < 1.1.1 - Cross-Site Request Forgery

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-114189. PoCs published by Zhiyang Zeng.

AI-analyzed exploit summary The exploit demonstrates a CSRF vulnerability in WordPress WHIZZ plugin versions <1.1.1, allowing attackers to delete users or change plugin status via crafted image tags. The PoC includes direct URLs that trigger these actions when loaded by an authenticated admin.

Description

WordPress Plugin WHIZZ < 1.1.1 - Cross-Site Request Forgery

Exploits (1)

exploitdb WORKING POC

by Zhiyang Zeng · textwebappsphp

https://www.exploit-db.com/exploits/41845

View Code ZIP pw:eip

The exploit demonstrates a CSRF vulnerability in WordPress WHIZZ plugin versions <1.1.1, allowing attackers to delete users or change plugin status via crafted image tags. The PoC includes direct URLs that trigger these actions when loaded by an authenticated admin.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: WordPress WHIZZ plugin <1.1.1

Auth required

Prerequisites: Victim must be authenticated as an admin · Victim must visit a page containing the malicious image tags

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026