WordPress BirdSeed <= 2.2.0 CSRF Vulnerability (CVE-2026-4071)

Vulnerability Overview Vulnerability Name: BirdSeed <= 2.2.0 - Cross-Site Request Forgery via BirdSeed Token Change Vulnerability Type: Cross-Site Request Forgery (CSRF) CVE ID: CVE-2026-4071 CVSS Score: 4.3 (Medium) Published Date: June 1, 2026 Last Updated: June 2, 2026 Researcher: Nabil Irawan - Heroes Cyber Security Impact Scope Affected Software: BirdSeed Software Type: Plugin Plugin Slug: birdseed Affected Versions: <= 2.2.0 Remediation Patch Status: No known patch available Recommended Actions: Please review the vulnerability details thoroughly and implement mitigation measures based on your organization's risk tolerance. It is best to uninstall the affected software and seek alternative solutions. Description The BirdSeed plugin is vulnerable to Cross-Site Request Forgery (CSRF) in WordPress, affecting all versions up to and including 2.2.0. This is due to the absence of nonce verification in the function. This function processes the GET parameter and saves it to the database via without verifying a nonce. This allows unauthenticated attackers to change the plugin's BirdSeed token settings by forging requests, provided they can trick the site administrator into performing an action (such as clicking a link). References plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org Additional Information Copyright: 2012-2026 Defiant Inc. License: Defiant grants a perpetual, worldwide, non-exclusive, royalty-free, irrevocable copyright license to copy, prepare derivative works, publicly display, publicly perform, sublicense, and distribute this vulnerability information. Any copies made for this purpose are authorized provided they contain a hyperlink to this vulnerability record and reproduce the Defiant copyright designation. MITRE Corporation: 1999-2026 MITRE Corporation grants a perpetual, worldwide, non-exclusive, royalty-free, irrevocable copyright license to copy, prepare derivative works, publicly display, publicly perform, sublicense, and distribute the Common Vulnerabilities and Exposures (CVE). Any copies made for this purpose are authorized provided they reproduce the MITRE copyright designation and any such license in this license. Contact Feedback: If you have information to add or have discovered an error, please contact for appropriate adjustments. Additional Resources Wordfence Intelligence API: Provides free personal and commercial API access, including webhook integrations, for the latest vulnerability information. Wordfence WordPress Plugin: Notifies sites immediately if they are affected by a new vulnerability. Documentation: Provides documentation on how to access and consume the vulnerability data API. Buttons Learn More: LEARN MORE Get Wordfence: GET WORDFENCE Documentation: DOCUMENTATION

Goal Reached Thanks to every supporter — we hit 100%!

WordPress BirdSeed <= 2.2.0 CSRF Vulnerability (CVE-2026-4071)

More from this source