EUVD-2026-27203
GHSA-gh5g-gr5m-vq9w
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settings_page_build function. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a forged request that modifies the plugin's configuration options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AnalysisAI
Cross-Site Request Forgery (CSRF) in DX Sources plugin for WordPress up to version 2.0.1 allows unauthenticated attackers to modify plugin configuration options by tricking a logged-in administrator into clicking a malicious link. The vulnerability stems from missing nonce validation in the settings_page_build function, enabling attackers to alter plugin settings without administrative consent. …
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t
Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic
Unauthenticated privilege escalation in the Advanced Custom Fields: Extended (ACFE) WordPress plugin through version 0.9
Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl
Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and
Share
External POC / Exploit Code
Leaving vuln.today