PatchSiren cyber security CVE debrief
CVE-2026-8909 WpMobi CVE debrief
CVE-2026-8909 is a Cross-Site Request Forgery (CSRF) vulnerability in the WpMobi plugin for WordPress. The vulnerability affects all versions up to and including 0.0.3. An attacker can exploit this vulnerability by tricking an administrator into performing an action such as clicking on a link, allowing the attacker to modify the plugin's General Settings and inject arbitrary web scripts into the administrator's browser. The injected script executes even when the supplied app_name value fails validation and is not persisted to the database.
- Vendor
- WpMobi
- Product
- WpMobi plugin for WordPress
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of the WpMobi plugin for WordPress, particularly those with versions up to and including 0.0.3, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is due to missing or incorrect nonce validation on the handleSaveGeneralSettings function. This allows unauthenticated attackers to modify the plugin's General Settings and inject arbitrary web scripts into the administrator's browser via a forged request.
Defensive priority
MEDIUM
Recommended defensive actions
- Update the WpMobi plugin to a version that is not vulnerable.
- Use a Web Application Firewall (WAF) to detect and prevent CSRF attacks.
- Implement proper nonce validation for the handleSaveGeneralSettings function.
Evidence notes
The CVE record and NVD detail provide evidence of the vulnerability. Additional references include Wordfence threat intel and WordPress plugin source code.
Official resources
CVE-2026-8909 was published on 2026-06-09T05:16:40.590Z and modified on 2026-06-09T13:33:34.393Z.