Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L
Added I:L over the provided I:N because CSRF against a migration plugin can plausibly trigger unauthorized write operations; remaining metrics align with the provided vector.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Request Forgery (CSRF) in WP Migrate Lite <= 2.7.8 versions.
AnalysisAI
Cross-Site Request Forgery in WP Migrate Lite (WordPress plugin by WP Engine, versions ≤ 2.7.8) enables unauthenticated remote attackers to force authenticated administrators to invoke unauthorized plugin actions by deceiving them into visiting a malicious page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/A:L) confirms low-complexity network exploitation with changed scope, meaning triggered actions can produce availability impact beyond the plugin itself - consistent with migration or database operations affecting the broader WordPress installation. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Technical ContextAI
WP Migrate Lite is a WordPress database migration plugin developed by WP Engine, identified by CPE cpe:2.3:a:wp_engine:wp_migrate_lite:*. The root cause is CWE-352 (Cross-Site Request Forgery): the plugin's administrative HTTP endpoints fail to validate that state-changing requests originate from a legitimate, authenticated session - typically implemented in WordPress via nonce checks using wp_verify_nonce(). Without this validation, any webpage controlled by an attacker can embed a hidden form or JavaScript fetch that auto-submits a crafted request to the plugin's admin-facing endpoints. Because WordPress admin actions inherit the session of the logged-in user, the victim's browser supplies all necessary cookies and authentication context automatically, making the forged request indistinguishable to the server from a legitimate one.
RemediationAI
Update WP Migrate Lite to any version beyond 2.7.8 if a patched release has been published by WP Engine; no exact fix version was confirmed in the available dataset, so check the WordPress plugin repository or WP Engine's release page for the latest version. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-migrate-db/vulnerability/wordpress-wp-migrate-lite-plugin-2-7-7-cross-site-request-forgery-csrf-vulnerability should be consulted for vendor-confirmed patch details. As an interim compensating control, restrict access to the WordPress admin panel (/wp-admin/) using IP allowlisting at the web server or WAF layer, limiting the surface for CSRF delivery - note this does not prevent exploitation if an attacker can reach administrators via other means. Administrators should avoid clicking unsolicited links or opening untrusted web pages while actively logged into WordPress. Web Application Firewalls with CSRF detection rulesets (such as those offered by Cloudflare, Sucuri, or Patchstack's own vPatching product) can provide virtual patching until an official update is applied.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36867
GHSA-vfjr-4w5j-4jph