Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
The Add Google Social Profiles to Knowledge Graph Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Knowledge Graph settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AnalysisAI
The Add Google Social Profiles to Knowledge Graph Box WordPress plugin (all versions up to 1.0) contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation on its settings update functionality. An unauthenticated attacker can forge malicious requests to modify the plugin's Knowledge Graph settings if they can trick a site administrator into clicking a malicious link. While the CVSS score of 4.3 is moderate, the attack requires user interaction and has no confidentiality impact, making it a lower-severity real-world threat despite being easily exploitable.
Technical ContextAI
This vulnerability stems from a CSRF weakness (CWE-352) in the WordPress plugin's settings handling mechanism. The plugin fails to implement WordPress nonce validation—a cryptographic token mechanism that WordPress provides to prevent CSRF attacks. The affected code is located in gsp-options.php (line 10 as referenced in the plugin's source repository), where the settings update functionality processes POST requests without verifying the nonce via wp_verify_nonce() or similar protective measures. The CPE identifier (cpe:2.3:a:omarnas:add_google_social_profiles_to_knowledge_graph_box) confirms this affects the vendor omarnas's Knowledge Graph plugin across all versions up to 1.0. CSRF vulnerabilities are particularly dangerous in WordPress admin contexts because authenticated administrators are frequently browsing external sites, making them susceptible to forged requests originating from attacker-controlled domains.
RemediationAI
Site administrators should immediately upgrade the Add Google Social Profiles to Knowledge Graph Box plugin to a patched version when released by the vendor omarnas, checking the official WordPress plugin repository and vendor advisory (linked via Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/19339b9f-8242-44a5-8239-7ef347ffbaad) for patch availability. Until a fix is released, apply WordPress security best practices: restrict admin panel access via firewall rules or Web Application Firewall (WAF) to trusted IP ranges, disable the vulnerable plugin if not critical to operations, educate administrators about phishing and malicious links, and monitor admin settings changes via WordPress security plugins or audit logs. Additionally, consider implementing Content Security Policy (CSP) headers and X-Frame-Options to mitigate CSRF vector effectiveness site-wide.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14007
GHSA-r65q-93p5-8cff