MEDIUM 4.3

CVE-2026-9732: EmergencyWP CSRF Vulnerability—Plugin Settings Modification Risk

The EmergencyWP plugin for WordPress has a security flaw that allows attackers to change important plugin settings without authorization. An attacker would need to trick a WordPress site administrator into clicking a malicious link, but if successful, they could alter access controls, email addresses, and other critical configurations. This is a cross-site request forgery (CSRF) vulnerability caused by the plugin failing to properly validate requests before processing them.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-352
Affected products
0 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

The EmergencyWP – Dead Man's switch & legacy deliverance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the form_settings_ui (settings save handler, procedural include scope) function. This makes it possible for unauthenticated attackers to modify plugin settings including the minimum access role (altering WordPress role capabilities via add_cap/remove_cap), the data-erasure-on-uninstall flag, life-check timing values, the mandator email address, the confirmation page ID, and date/time formats via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9732 is a Cross-Site Request Forgery (CWE-352) vulnerability in the EmergencyWP plugin affecting all versions through 1.4.2. The flaw exists in the form_settings_ui function, which handles settings persistence but lacks proper nonce validation. This allows an attacker to craft a forged HTTP request that, when executed by an authenticated administrator, modifies sensitive plugin configuration including role capabilities (via WordPress add_cap/remove_cap functions), data-erasure-on-uninstall flags, life-check timing parameters, administrator email addresses, confirmation page IDs, and date/time format settings. The attack requires social engineering to trick an admin into visiting an attacker-controlled page or clicking a malicious link.

Business impact

Compromised plugin settings can degrade the intended security and functionality of the legacy data management workflow that EmergencyWP provides. Unauthorized modification of administrator email addresses could disrupt critical notifications or lock legitimate administrators out of the system. Changes to access role capabilities could grant unintended privileges to lower-privileged users or restrict legitimate administrators. For organizations relying on EmergencyWP for digital legacy management or data-erasure orchestration, a successful attack could undermine trust in the plugin's configuration integrity and require administrative investigation and remediation.

Affected systems

WordPress installations using the EmergencyWP – Dead Man's switch & legacy deliverance plugin in versions 1.4.2 and earlier are affected. The vulnerability does not affect the WordPress core or other plugins; exposure is limited to sites with EmergencyWP installed and active. The attack surface is limited to WordPress administrators, since the forged request must be executed by a user with settings-modification capability.

Exploitability

This vulnerability has a CVSS 3.1 score of 4.3 (MEDIUM severity) with a network attack vector and low complexity, but requires user interaction (UI:R). Exploitation is straightforward from a technical standpoint—crafting a forged request is trivial—but depends entirely on social engineering. An attacker must convince an administrator to click a link or visit a compromised page while logged into WordPress. There is no authenticated exploit path, and the attack leaves a minimal forensic footprint unless request logging is enabled. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects that impact is limited to integrity of settings, with no confidentiality or availability impact.

Remediation

Update the EmergencyWP plugin to a patched version that implements proper nonce validation on the form_settings_ui function. Verify the patched version number against the official WordPress plugin repository or the plugin vendor's advisory. In the interim, restrict plugin settings access to trusted administrators only, educate administrators about CSRF phishing tactics, and monitor settings change logs for unauthorized modifications.

Patch guidance

Check the WordPress plugin repository (plugins.wordpress.org) or contact the plugin vendor directly for the patched version release date and number. Apply the update as soon as it becomes available. Verify the update in your WordPress admin dashboard under Plugins > Installed Plugins. If a patch is not yet available at the time you discover this vulnerability, consider temporarily disabling the plugin until a fix is released, or implement compensating controls such as restricting admin access by IP address or requiring multi-factor authentication for administrator accounts.

Detection guidance

Enable request logging on your WordPress site to capture POST requests to the wp-admin/admin.php endpoint with the EmergencyWP settings handler. Look for requests lacking a valid nonce parameter or with nonce mismatches. Monitor admin change logs or database audit trails for unexpected modifications to plugin options (stored in wp_options table with keys related to EmergencyWP settings). Implement a Web Application Firewall (WAF) rule to flag or block settings modification requests that lack proper nonce tokens. Use WordPress security plugins such as Wordfence or Sucuri to track configuration changes and receive alerts.

Why prioritize this

Although the CVSS score is MEDIUM (4.3), this vulnerability should be prioritized for patching within your standard change management window because it directly affects plugin configuration integrity and requires no technical sophistication to exploit. The attack depends on social engineering rather than a zero-day or exploit kit, which lowers urgency compared to CRITICAL vulnerabilities, but the ease of exploitation and the sensitivity of the targeted settings (access control, email notification) warrant prompt attention. If your organization relies on EmergencyWP for critical workflows, prioritize patching accordingly.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects a network-accessible vulnerability with low attack complexity and limited impact scope. The requirement for user interaction (an administrator must be socially engineered) and the absence of confidentiality or availability impact suppress the score. However, the integrity impact on sensitive configuration settings—particularly those governing role capabilities and email addresses—elevates concern beyond a purely numerical assessment. Organizations should evaluate their own reliance on EmergencyWP and the risk profile of their administrator base when deciding remediation urgency.

Frequently asked questions

Does this vulnerability affect WordPress core or other plugins?

No. This vulnerability is specific to the EmergencyWP plugin. WordPress core and other plugins are not affected. You only need to update EmergencyWP itself.

Can this attack happen without tricking an administrator into clicking a link?

No. This is a CSRF vulnerability, which means it requires user interaction—specifically, an authenticated administrator must visit a malicious page or click a link while logged into WordPress. If your administrators do not click suspicious links or visit untrusted websites while logged in, the attack surface is significantly reduced.

What should I do if I cannot patch immediately?

Consider temporarily disabling the plugin until a patch is available. If you must keep it active, restrict admin access by IP address (if feasible), enforce multi-factor authentication for administrators, and educate administrators about CSRF phishing tactics. Monitor your plugin settings and admin logs for unauthorized changes.

How do I know if my settings have been changed by an attacker?

Review your WordPress database or admin logs for changes to EmergencyWP configuration options. Check the plugin's settings page for unexpected changes to access roles, email addresses, or life-check timing. If you have a backup from before the potential attack, compare current settings against the backup.

This analysis is based on the CVE description and CVSS vector as of the publication and modification dates listed. Security advisories and patch availability may change; verify current patch status and version numbers directly with the WordPress plugin repository or the plugin vendor before implementing remediation. This summary does not constitute legal or compliance advice. Organizations should assess their own risk tolerance and remediation timelines based on their operational context and reliance on the affected plugin. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).