PatchSiren cyber security CVE debrief
CVE-2026-8940 jasonpitts CVE debrief
A Cross-Site Request Forgery (CSRF) vulnerability exists in the WP Meta Sort Posts plugin for WordPress, affecting all versions up to and including 0.9. This vulnerability is due to missing or incorrect nonce validation on the top-level included script in msp-options.php. An unauthenticated attacker can exploit this by tricking a site administrator into performing an action such as clicking on a link, allowing them to change the plugin's msp_loop_file and msp_nav_location settings via a forged request.
- Vendor
- jasonpitts
- Product
- WP Meta Sort Posts
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of the WP Meta Sort Posts plugin for WordPress, particularly those with versions up to and including 0.9, should be aware of this vulnerability and take necessary actions to protect their sites.
Technical summary
The vulnerability has a CVSS score of 4.3 and is classified as MEDIUM severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The weakness is categorized under CWE-352.
Defensive priority
MEDIUM
Recommended defensive actions
- Update the WP Meta Sort Posts plugin to a version beyond 0.9, if available.
- Implement additional security measures such as validating nonces for all requests that modify settings.
Evidence notes
Evidence for this vulnerability comes from the National Vulnerability Database (NVD) and Wordfence security research.
Official resources
CVE-2026-8940 was published on 2026-06-09T05:16:40.953Z and modified on 2026-06-09T13:33:34.393Z.