CVE-2026-9724: 
WordPress Analisi e mitigazione delle vulnerabilità

CVE-2026-9724 is a Cross-Site Request Forgery (CSRF) vulnerability in the MotorDesk plugin for WordPress, affecting all versions up to and including 1.1.2. The flaw stems from missing or incorrect nonce validation on the motordesk_admin_home function, enabling unauthenticated attackers to modify plugin configuration settings by tricking an administrator into clicking a malicious link. It was published on June 24, 2026, with a CVSS v3.1 base score of 4.3 (Medium) (GitHub Advisory, Wordfence).

The root cause is classified as CWE-352 (Cross-Site Request Forgery), specifically the absence of proper nonce validation in the motordesk_admin_home function within include/motordesk_admin.php (lines 122, 134, 157, and 182). Because WordPress nonces are not verified before processing admin configuration updates, an attacker can craft a forged HTTP request that, when triggered by an authenticated administrator, updates sensitive plugin settings such as the search page URI and custom template directory path. Exploitation requires social engineering — the attacker must trick a logged-in site administrator into clicking a crafted link or visiting a malicious page (GitHub Advisory, Wordfence).

Successful exploitation allows an unauthenticated attacker to modify the MotorDesk plugin's configuration settings, including the search page URI and custom template directory path, without authorization. While confidentiality and availability are not directly impacted, manipulation of the template directory path could potentially be chained with other vulnerabilities (e.g., path traversal or file inclusion) to achieve more severe outcomes. The integrity impact is limited to plugin configuration changes, but these could disrupt site functionality or redirect users (GitHub Advisory, Wordfence).

1. Reconnaissance: Identify WordPress sites running the MotorDesk plugin version 1.1.2 or earlier using tools like WPScan or by inspecting publicly accessible plugin metadata.
2. Craft malicious request: Create an HTML page or link containing a forged POST request targeting the WordPress admin endpoint that invokes motordesk_admin_home, with attacker-controlled values for the search page URI and/or custom template directory path parameters.
3. Social engineering: Deliver the malicious link or page to a site administrator via phishing email, forum post, or other means, inducing them to click it while authenticated to the WordPress admin panel.
4. Configuration modification: When the administrator's browser submits the forged request, the missing nonce validation causes WordPress to process it as legitimate, updating the plugin's configuration settings to attacker-specified values (GitHub Advisory, Wordfence).

• Logs: WordPress admin access logs showing unexpected POST requests to admin-ajax.php or wp-admin pages invoking the motordesk_admin_home action from unusual referrer URLs or external origins.
• Configuration: Unexpected changes to the MotorDesk plugin settings in the WordPress database, particularly the search page URI or custom template directory path fields differing from administrator-set values.
• File System: If the custom template directory path was altered, monitor for new or modified template files in non-standard directories that could indicate follow-on file inclusion attempts.

WordPress site administrators should update the MotorDesk plugin to a version newer than 1.1.2, which includes proper nonce validation on the motordesk_admin_home function. Until an update is applied, administrators should exercise caution with unsolicited links and emails, and consider temporarily deactivating the plugin if the site is at elevated risk. Implementing Content Security Policy (CSP) headers and educating administrators about phishing risks can provide additional defense-in-depth (Wordfence, GitHub Advisory).