CVE-2026-1455 MEDIUM

CVE-2026-1455: Whatsiplus Scheduled Notification for Woocommerce <= 1.0.1 - Cross-Site Request Forgery to 'wsnfw_save_users_settings' AJAX Action

Vendor Whatsiplus
Product Whatsiplus Scheduled Notification for Woocommerce
Weakness CWE-352 · CSRF
Published February 19, 2026
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for unauthenticated attackers to modify plugin configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Explanation of Vulnerability in Simple Terms

02Summary

Whatsiplus Scheduled Notification for WooCommerce versions up to 1.0.1 contain a cross-site request forgery vulnerability. An attacker can craft a malicious link or page that, when visited by a logged-in site administrator, performs unwanted actions on the site without their knowledge. The vulnerability requires user interaction and does not expose sensitive data, but can modify site settings or content.

What an attacker can do

03Attacker Capabilities

Trick a logged-in admin into visiting a malicious page that performs unwanted actions on the site.

Potential impact on your site

04Site Impact

Attackers can modify plugin settings or trigger unintended actions if admins visit malicious links.

Conditions required to exploit

05Prerequisites

Admin must visit attacker-controlled page while logged into WordPress.

Key dates

06Disclosure timeline

February 19, 2026 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2025-30619 WordPress SpeakPipe plugin <= 0.2 - Cross Site Request Forgery (CSRF) Vulnerability CVE-2023-46095 WordPress Smooth Scroll Links Plugin <= 1.1.0 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2021-40335 Cross Site Request Forgery (CSRF) in Hitachi Energy’s MSM Product CVE-2023-36511 WordPress WooCommerce Order Barcodes Plugin <= 1.6.4 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2024-39623 WordPress ListingPro theme <= 2.9.4 - Cross Site Request Forgery (CSRF) to Account Takeover vulnerability