{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6294", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-14T18:03:33.157Z", "datePublished": "2026-04-22T07:45:42.426Z", "dateUpdated": "2026-04-22T07:45:42.426Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:42.426Z"}, "affected": [{"vendor": "byybora", "product": "Google PageRank Display", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplay_option() function, which handles the plugin settings page. The settings form does not include a wp_nonce_field(), and the form handler does not call check_admin_referer() or wp_verify_nonce() before processing the POST request. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that changes the plugin's settings (stored via update_option()), such as the display style used to render the PageRank badge."}], "title": "Google PageRank Display <= 1.4 - Cross-Site Request Forgery to Settings Update via Settings Page", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e39ebe27-7780-48b6-8dca-7da7a78fce69?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/google-pagerank-display/trunk/gpdisplay.php#L32"}, {"url": "https://plugins.trac.wordpress.org/browser/google-pagerank-display/tags/1.4/gpdisplay.php#L32"}, {"url": "https://plugins.trac.wordpress.org/browser/google-pagerank-display/trunk/gpdisplay.php#L56"}, {"url": "https://plugins.trac.wordpress.org/browser/google-pagerank-display/tags/1.4/gpdisplay.php#L56"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-04-21T19:02:33.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplay_option() function, which handles the plugin settings page. The settings form does not include a wp_nonce_field(), and the form handler does not call check_admin_referer() or wp_verify_nonce() before processing the POST request. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that changes the plugin's settings (stored via update_option()), such as the display style used to render the PageRank badge."}], "id": "CVE-2026-6294", "lastModified": "2026-04-22T09:16:26.677", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:26.677", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/google-pagerank-display/tags/1.4/gpdisplay.php#L32"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/google-pagerank-display/tags/1.4/gpdisplay.php#L56"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/google-pagerank-display/trunk/gpdisplay.php#L32"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/google-pagerank-display/trunk/gpdisplay.php#L56"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e39ebe27-7780-48b6-8dca-7da7a78fce69?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T09:35:55.669027+00:00", "value": {"mitigation_remediation": ["Upgrade the Google PageRank Display plugin to the latest version or any release newer than 1.4, where nonce validation has been added.", "If an upgrade is not immediately feasible, deactivate and uninstall the plugin to eliminate the exposure, or replace it with a reputable alternative that performs necessary checks.", "Configure the WordPress installation or web application firewall to block POST requests to the plugin settings endpoint except from trusted IP addresses or users, providing a temporary mitigation until the plugin can be updated."], "summary": {"action": "Update plugin", "impact": "Cross\u2011Site Request Forgery leading to unauthorized modification of plugin settings"}, "threat_synthesis": {"affected_systems": "The issue affects the Google PageRank Display plugin for WordPress in all releases up to and including 1.4. Affected systems are WordPress sites that have this plugin installed and have logged\u2011in administrators who can access the plugin\u2019s settings page.", "description_and_impact": "The vulnerability allows a remote attacker who is not authenticated to manipulate the settings of the WordPress plugin by sending a POST request to the settings page. Because the code does not validate a nonce, a logged\u2011in administrator can be tricked into submitting a crafted form that changes plugin options stored in the database, such as the style used to display the PageRank badge. The attack does not grant direct access to the system, but it can alter the appearance or functionality of the website and potentially serve as a foothold if the settings affect visibility or moderation. The weakness is identified as CWE\u2011352.", "risk_and_exploitability": "With a CVSS score of 4.3 the risk is moderate. No EPSS data is provided, so the current exploitation probability is unknown. The vulnerability is not listed in CISA KEV. An attacker can exploit this by sending a crafted CSRF request to an administrator\u2019s session without needing additional privileges, making it a low\u2011effort attack vector."}}}}, "created": "2026-04-22T09:45:13.082299+00:00", "updated": "2026-04-22T09:45:13.082311+00:00", "vendors": []}