PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4070 pftool CVE debrief

CVE-2026-4070 is a cross-site request forgery issue in the Alfie – Feed Plugin for WordPress affecting all versions up to and including 1.2.1. The vulnerable path is the alfie_manage() function, which handles feed deletion through the delete GET parameter without nonce validation. An attacker who can trick a site administrator into following a crafted request may be able to delete plugin feed data.

Vendor
pftool
Product
Alfie – Feed Plugin
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-22
Original CVE updated
2026-05-22
Advisory published
2026-05-22
Advisory updated
2026-05-22

Who should care

WordPress site administrators, defenders responsible for plugins that manage site data, and teams running the Alfie – Feed Plugin version 1.2.1 or earlier should review this issue. It matters most where administrators regularly access the plugin and could be induced to click a malicious link.

Technical summary

NVD and Wordfence describe a CSRF weakness caused by missing nonce validation in alfie_manage(). The affected code path processes deletion requests via a GET parameter named delete. Because the request is not protected against cross-site request forgery, a forged request can trigger deletion of plugin data if an authenticated administrator visits it. The described impact is limited to integrity loss: deletion of data stored by the plugin in alfie_colindex, alfie_producten, alfie_reactions, and alfie_searchproduct tables.

Defensive priority

Medium. The issue is unauthenticated from the attacker's perspective but requires administrator interaction. The main risk is unintended deletion of plugin-managed data, so remediation should be scheduled promptly for any exposed installs.

Recommended defensive actions

  • Upgrade the Alfie – Feed Plugin to a version newer than 1.2.1 if a fixed release is available.
  • Review the alfie_manage() deletion workflow and confirm nonce validation is enforced for all state-changing actions.
  • Limit administrator exposure to untrusted links and reinforce safe browsing practices for users with plugin management privileges.
  • Audit plugin-related data tables for unexpected deletions or integrity issues if the plugin was in use during the vulnerable period.
  • Monitor official vendor and WordPress plugin channels for a remediation notice or patched release.

Evidence notes

The supplied NVD record cites Wordfence references to alfie-manage.php lines 58 and 60 in both the tagged 1.2.1 release and trunk, and states the issue is missing nonce validation in alfie_manage() for deletion via the delete GET parameter. The CVSS vector indicates network exploitable CSRF with user interaction required and low integrity impact. No KEV listing was provided.

Official resources

Publicly published in the provided NVD source on 2026-05-22T05:16:27.233Z; modified at the same timestamp in the supplied record. No KEV entry was provided in the source corpus.