CVE-2026-1072 in Keybase.io Verification Plugin
Summary
by MITRE • 02/18/2026
The Keybase.io Verification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.5. This is due to missing nonce validation when updating plugin settings. This makes it possible for unauthenticated attackers to update the Keybase verification text via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/18/2026
The Keybase.io Verification plugin for WordPress represents a widely used tool that enables website administrators to verify their identity on the Keybase platform by adding specific text to their website. This verification process is crucial for establishing trust and authenticity in the digital landscape where online identity verification has become increasingly important. The plugin operates by allowing administrators to insert a unique verification string into their website's HTML content, which Keybase then uses to confirm the administrator's ownership of the site. This functionality creates a bridge between WordPress websites and the Keybase identity verification system, making it a valuable component for users who rely on digital identity verification services.
The vulnerability identified in CVE-2026-1072 stems from a critical flaw in the plugin's security implementation where nonce validation is completely absent during the process of updating plugin settings. Nonce validation represents a fundamental security mechanism in WordPress that generates unique, time-limited tokens to ensure that requests originate from legitimate sources within the WordPress admin environment. This particular weakness creates a dangerous pathway for attackers to manipulate the plugin's configuration without proper authentication. The absence of nonce validation means that any attacker can craft malicious requests that appear to come from legitimate administrative actions, effectively bypassing the standard WordPress security protocols that protect against unauthorized configuration changes.
The operational impact of this Cross-Site Request Forgery vulnerability extends beyond simple configuration manipulation, as it allows unauthenticated attackers to inject arbitrary verification text into websites. This represents a significant risk to website integrity and user trust, as the injected content could potentially be used for phishing attacks, social engineering campaigns, or to mislead users about the true identity of the website owner. The attack vector relies on social engineering tactics where administrators are tricked into clicking malicious links or visiting compromised websites, making this vulnerability particularly dangerous because it exploits human factors in addition to technical weaknesses. This type of vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery issues in software applications, and demonstrates how insufficient input validation can create persistent security risks.
The exploitation of this vulnerability requires minimal technical expertise from attackers, as it leverages existing WordPress security gaps rather than requiring complex attack techniques. Attackers can craft forged requests that update the Keybase verification text without authentication, potentially allowing them to insert malicious content or redirect verification processes. This vulnerability creates a persistent threat that remains active until the plugin is updated to include proper nonce validation. The risk is particularly concerning for websites that rely heavily on identity verification for security purposes, as the compromised verification text could be used to impersonate legitimate site owners or to gain unauthorized access to Keybase accounts linked to the compromised websites. Organizations should consider implementing additional monitoring and verification procedures to detect unauthorized changes to their verification configurations, as this vulnerability creates a potential attack surface that could be exploited for broader security incidents.
Recommended mitigations for this vulnerability include immediate updates to the Keybase.io Verification plugin to version 1.4.6 or later, which should contain proper nonce validation mechanisms. Administrators should also implement additional security measures such as regular monitoring of plugin settings changes, implementation of web application firewalls, and enhanced user training to recognize potential social engineering attempts. The vulnerability demonstrates the critical importance of proper input validation and authentication mechanisms in WordPress plugins, as highlighted by ATT&CK technique T1566 which covers social engineering tactics used to gain initial access to systems. Security teams should also consider implementing automated scanning tools to detect similar vulnerabilities in other installed plugins, as the absence of nonce validation in one component often indicates broader security implementation gaps within the WordPress ecosystem.