Skip to main content

WP Migrate Lite CVE-2026-49043

| EUVDEUVD-2026-36867 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-15 Patchstack GHSA-vfjr-4w5j-4jph
4.7
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
4.7 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L
vuln.today AI
6.1 MEDIUM

Added I:L over the provided I:N because CSRF against a migration plugin can plausibly trigger unauthorized write operations; remaining metrics align with the provided vector.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:53 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Request Forgery (CSRF) in WP Migrate Lite <= 2.7.8 versions.

AnalysisAI

Cross-Site Request Forgery in WP Migrate Lite (WordPress plugin by WP Engine, versions ≤ 2.7.8) enables unauthenticated remote attackers to force authenticated administrators to invoke unauthorized plugin actions by deceiving them into visiting a malicious page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/A:L) confirms low-complexity network exploitation with changed scope, meaning triggered actions can produce availability impact beyond the plugin itself - consistent with migration or database operations affecting the broader WordPress installation. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Technical ContextAI

WP Migrate Lite is a WordPress database migration plugin developed by WP Engine, identified by CPE cpe:2.3:a:wp_engine:wp_migrate_lite:*. The root cause is CWE-352 (Cross-Site Request Forgery): the plugin's administrative HTTP endpoints fail to validate that state-changing requests originate from a legitimate, authenticated session - typically implemented in WordPress via nonce checks using wp_verify_nonce(). Without this validation, any webpage controlled by an attacker can embed a hidden form or JavaScript fetch that auto-submits a crafted request to the plugin's admin-facing endpoints. Because WordPress admin actions inherit the session of the logged-in user, the victim's browser supplies all necessary cookies and authentication context automatically, making the forged request indistinguishable to the server from a legitimate one.

RemediationAI

Update WP Migrate Lite to any version beyond 2.7.8 if a patched release has been published by WP Engine; no exact fix version was confirmed in the available dataset, so check the WordPress plugin repository or WP Engine's release page for the latest version. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-migrate-db/vulnerability/wordpress-wp-migrate-lite-plugin-2-7-7-cross-site-request-forgery-csrf-vulnerability should be consulted for vendor-confirmed patch details. As an interim compensating control, restrict access to the WordPress admin panel (/wp-admin/) using IP allowlisting at the web server or WAF layer, limiting the surface for CSRF delivery - note this does not prevent exploitation if an attacker can reach administrators via other means. Administrators should avoid clicking unsolicited links or opening untrusted web pages while actively logged into WordPress. Web Application Firewalls with CSRF detection rulesets (such as those offered by Cloudflare, Sucuri, or Patchstack's own vPatching product) can provide virtual patching until an official update is applied.

Share

CVE-2026-49043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy