CVE-2025-26768: 
WordPress vulnerability analysis and mitigation

The CVE-2025-26768 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in the what3words Address Field WordPress plugin, affecting versions up to and including 4.0.15. The vulnerability was publicly disclosed on February 14, 2025, and was discovered by security researcher Abdi Pranata (Patchstack).

The vulnerability stems from missing or incorrect nonce validation on certain functions within the what3words Address Field plugin. This security flaw has been assigned a CVSS v3.1 score of 7.1 (HIGH), indicating significant severity. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and falls under the OWASP Top 10 category A2: Broken Authentication and Session Management (WPScan).

The vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts via forged requests. The successful exploitation requires tricking a site administrator into performing specific actions, such as clicking on a malicious link. This can lead to stored Cross-Site Scripting (XSS) attacks (Patchstack).

The vulnerability has been patched in version 4.0.16 of the what3words Address Field plugin. Users are strongly advised to update to this version or later to mitigate the security risk. No alternative workarounds have been published (Patchstack).