Xhanch - My Advanced Settings plugin allows unauthorized settings changes

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.3

Xhanch - My Advanced Settings plugin allows unauthorized settings changes

CVE-2026-3332

Summary

The Xhanch - My Advanced Settings plugin for WordPress has a security flaw that lets attackers change settings without permission. This could happen if an administrator clicks on a malicious link. We recommend updating to a fixed version to prevent unauthorized changes to settings like the site's favicon and Google Analytics ID.

Original title

Original description

The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the `xms_setting()` function on the settings update handler. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Settings that can be modified include favicon URL, Google Analytics account ID, and various WordPress behavior toggles. The `favicon_url` and `ga_acc_id` values are output on the front-end without escaping, enabling a CSRF to Stored XSS chain.

nvd CVSS3.1 4.3

Vulnerability type

CWE-352 Cross-Site Request Forgery (CSRF)

Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026