We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Keybase.io Verification plugin Vulnerability (CVE-2026-1072)

Nick Paliughi
On this page

Security Alert Summary

The Keybase.io Verification plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 1.4.5. The vulnerability is caused by missing nonce validation when updating plugin settings, which can allow an attacker to cause an administrator to unknowingly update the Keybase verification text via a forged request.

CVE Details

  • CVE ID: CVE-2026-1072
  • Affected plugin / component: Keybase.io Verification plugin for WordPress
  • Affected versions: All versions up to and including 1.4.5 (as stated in the CVE entry)
  • Published: February 18, 2026, 6:16:33 AM UTC
  • Last modified: February 18, 2026, 6:16:33 AM UTC
  • CVSS v3.1: Base Score 4.3, Severity MEDIUM, Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
  • Authentication / Privileges / User interaction: Privileges Required: None; User Interaction: Required; Attack Vector: Network; Attack Complexity: Low
  • Primary impact: Confidentiality: None; Integrity: Low; Availability: None
  • CWE / weakness: CWE-352 (Cross-Site Request Forgery)

Technical Details

This vulnerability is a Cross-Site Request Forgery (CSRF) issue caused by missing nonce validation when the plugin updates its settings. Because nonce checks are not present where settings are written, an attacker can craft a request that updates the Keybase verification text and trick an administrator into triggering that request (for example, by clicking a link in an email or on a web page).

The CVE references the plugin’s admin write code (admin/code/write.php), indicating the missing nonce / CSRF protection occurs in the settings write path. The absence of nonce validation is the root cause: without that server-side check, the plugin cannot distinguish legitimate form submissions from forged requests.

Impact is limited to integrity of the plugin settings (specifically the Keybase verification text). The vulnerability does not indicate disclosure of confidential data or loss of availability according to the CVSS metrics provided.

How This Could Impact Your Website

Consider a site with an owner (administrator), internal staff who manage content, and an external contractor who occasionally contributes. If an administrator is tricked into visiting a malicious page or clicking a crafted link while logged into the WordPress admin, an attacker could change the Keybase verification text displayed by the site without the administrator’s explicit intent. That altered verification text could confuse visitors or be used to support social engineering or targeted phishing campaigns by making the site appear to assert a different Keybase identity.

Because the CVSS impact shows no confidentiality impact, this issue does not directly expose internal data such as user passwords or private information. The primary concern is the integrity of the verification text and any trust decisions that rely on it.

professional review: If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available. (No fixed version is specified in the CVE entry.)
  • Review and reduce unnecessary user roles, especially users with Administrator capability.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce attack surface.
  • Monitor site activity and audit admin actions for unusual changes to plugin settings or verification text.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Frontend Post Submission Manager Lite Plugin Vulnerability (CVE-2026-1296)
Next Post
WordPress Security Bulletin: WP Plugin Info Card Plugin Vulnerability (CVE-2026-2023)