Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CSRF requires no attacker privileges (PR:N) but mandates admin interaction (UI:R); impact is limited to low-integrity frontend content injection with no confidentiality or availability effects.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Wp Js Detect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.9. This is due to missing or incorrect nonce validation on the plugin_settings function. This makes it possible for unauthenticated attackers to update the plugin's notification text and CSS settings (wp_non_js_notification_text and wp_non_js_notification_css), injecting arbitrary content that is echoed unescaped on the frontend via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AnalysisAI
Cross-Site Request Forgery in the Wp Js Detect WordPress plugin (all versions ≤ 1.0.9) permits unauthenticated attackers to overwrite the plugin's frontend notification text and CSS settings by exploiting absent nonce validation in the plugin_settings function. Because the stored values are echoed unescaped to the WordPress frontend, a successful forged request can inject arbitrary HTML or script content visible to site visitors who have JavaScript disabled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Wp Js Detect plugin must be installed and active on the target WordPress site in version 1.0.9 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) is internally consistent with the described attack: network-reachable, low complexity, no attacker privileges required, but constrained by mandatory administrator interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a hidden HTML form on a malicious webpage targeting the WordPress site's plugin settings endpoint, pre-populating wp_non_js_notification_text with injected HTML or JavaScript content. The attacker sends a phishing link to a WordPress site administrator - for example, via email or a comment notification - and when the administrator visits the page while their admin session is active, the browser silently submits the forged POST request without nonce verification. … |
| Remediation | No vendor-released patched version is confirmed in the available data - the CPE range covers all versions through 1.0.9 without a fixed release referenced in any provided intelligence source. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42173
GHSA-pj77-3rw8-fp35