DX Unanswered Comments CVE-2026-4138

| EUVD-2026-24678 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-22 Wordfence
PHP WordPress CSRF
4.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 22, 2026 - 10:03 vuln.today

DescriptionNVD

The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings form in the dxuc-unanswered-comments-admin-page.php file. This makes it possible for unauthenticated attackers to modify plugin settings (dxuc_authors_list and dxuc_comment_count) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AnalysisAI

Cross-Site Request Forgery (CSRF) in the DX Unanswered Comments WordPress plugin versions up to 1.7 allows unauthenticated attackers to modify critical plugin settings (authors list and comment count) by tricking a site administrator into clicking a malicious link, due to missing nonce validation in the settings form handler. The CVSS 4.3 score reflects low severity with integrity impact limited to plugin configuration rather than data or code execution, but successful exploitation could alter site functionality if an attacker controls which comments are flagged as unanswered.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-4138 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy