PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6400 helpstring CVE debrief

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Child Height Predictor by Ostheimer WordPress plugin, affecting all versions up to and including 1.3. The plugin's settings update handler lacks nonce verification, allowing unauthenticated attackers to forge administrative requests that modify plugin configuration options such as unit preferences. This vulnerability requires social engineering to execute, as an attacker must induce a logged-in administrator to visit a malicious page or click a crafted link. The CVSS 3.1 score of 4.3 reflects the medium severity and the need for user interaction. The vulnerability was disclosed on May 20, 2026, with source references pointing to specific lines in the plugin's PHP source code where the missing nonce checks occur.

Vendor
helpstring
Product
Child Height Predictor by Ostheimer
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-20
Advisory published
2026-05-20
Advisory updated
2026-05-20

Who should care

WordPress site administrators using the Child Height Predictor by Ostheimer plugin, security teams monitoring WordPress plugin vulnerabilities, and web application firewall operators protecting WordPress installations

Technical summary

The Child Height Predictor by Ostheimer plugin for WordPress fails to implement WordPress nonce verification in its administrative settings handler. The options() function processes POST requests to update plugin settings via update_option() without validating a nonce token. The corresponding form template omits wp_nonce_field(), and the handler does not invoke check_admin_referer() or wp_verify_nonce(). This CSRF vulnerability (CWE-352) enables unauthenticated attackers to construct malicious web pages that submit forged requests to the plugin's settings endpoint, causing persistent unauthorized configuration changes when an authenticated administrator's browser processes the request. The attack requires no authentication credentials but depends on successful social engineering to induce administrator interaction.

Defensive priority

medium

Recommended defensive actions

  • Apply the pending plugin update once a patched version is released by the vendor
  • Implement network-level CSRF protection via Web Application Firewall rules for WordPress administrative endpoints
  • Enable WordPress constant DISALLOW_FILE_EDIT to reduce attack surface if not already configured
  • Review plugin settings for unauthorized modifications if the site has been operating with version 1.3 or earlier
  • Consider temporarily disabling the plugin if administrative CSRF protection cannot be enforced through other means

Evidence notes

The vulnerability is documented through WordPress plugin repository source code references showing the options() function at lines 135 and 149 in both the tagged 1.3 release and trunk versions, where wp_nonce_field() is absent from the form template and check_admin_referer()/wp_verify_nonce() are not called in the handler. The CWE-352 classification is confirmed by the primary source.

Official resources

2026-05-20