CVE-2026-8418 askywhale CVE debrief

Who should care

WordPress site administrators using the Games Catalog plugin, security teams monitoring WordPress plugin vulnerabilities, and developers maintaining WordPress plugins with administrative CRUD functionality

Technical summary

The Games Catalog plugin registers the gc_crud() function to handle administrative CRUD operations. When processing action=delete via GET request, the function lacks wp_verify_nonce() or check_admin_referer() validation. This missing protection allows attackers to construct URLs that, when visited by an authenticated administrator, execute deletion of arbitrary game catalog entries and their associated WordPress posts without the administrator's intentional consent. The vulnerability is present in both the 1.2.0 tagged release and current trunk code as of disclosure.

Defensive priority

medium

Recommended defensive actions

• Update the Games Catalog WordPress plugin to a version newer than 1.2.0 when available
• Implement additional CSRF protections for administrative actions if running affected versions
• Review administrator activity logs for unexpected game catalog deletions around 2026-05-20 and later
• Consider implementing Content Security Policy (CSP) and SameSite cookie attributes to mitigate CSRF risks
• Monitor WordPress plugin repository for security patches to the game-catalog plugin

Evidence notes

The vulnerability is documented in WordPress plugin repository source code references showing the gc_crud() function at admin-crud.php line 31 and line 94, with the function hook registration at games-catalog.php line 96. The issue affects both the tagged 1.2.0 release and trunk versions. Wordfence assigned CWE-352 (Cross-Site Request Forgery).

Official resources