Skip to main content

Wp Js Detect CVE-2026-9731

| EUVDEUVD-2026-42173 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-08 Wordfence GHSA-pj77-3rw8-fp35
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

CSRF requires no attacker privileges (PR:N) but mandates admin interaction (UI:R); impact is limited to low-integrity frontend content injection with no confidentiality or availability effects.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 06:21 vuln.today
CVE Published
Jul 08, 2026 - 05:34 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Wp Js Detect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.9. This is due to missing or incorrect nonce validation on the plugin_settings function. This makes it possible for unauthenticated attackers to update the plugin's notification text and CSS settings (wp_non_js_notification_text and wp_non_js_notification_css), injecting arbitrary content that is echoed unescaped on the frontend via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AnalysisAI

Cross-Site Request Forgery in the Wp Js Detect WordPress plugin (all versions ≤ 1.0.9) permits unauthenticated attackers to overwrite the plugin's frontend notification text and CSS settings by exploiting absent nonce validation in the plugin_settings function. Because the stored values are echoed unescaped to the WordPress frontend, a successful forged request can inject arbitrary HTML or script content visible to site visitors who have JavaScript disabled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft hidden CSRF form targeting plugin_settings endpoint
Delivery
Deliver phishing link to WordPress administrator
Exploit
Admin browser submits forged settings request with injected payload
Execution
Plugin stores attacker-controlled notification text/CSS without nonce check
Persist
Injected content echoed unescaped on WordPress frontend
Impact
JS-disabled visitors exposed to arbitrary injected HTML or script

Vulnerability AssessmentAI

Exploitation The Wp Js Detect plugin must be installed and active on the target WordPress site in version 1.0.9 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) is internally consistent with the described attack: network-reachable, low complexity, no attacker privileges required, but constrained by mandatory administrator interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a hidden HTML form on a malicious webpage targeting the WordPress site's plugin settings endpoint, pre-populating wp_non_js_notification_text with injected HTML or JavaScript content. The attacker sends a phishing link to a WordPress site administrator - for example, via email or a comment notification - and when the administrator visits the page while their admin session is active, the browser silently submits the forged POST request without nonce verification. …
Remediation No vendor-released patched version is confirmed in the available data - the CPE range covers all versions through 1.0.9 without a fixed release referenced in any provided intelligence source. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9731 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy