The Star Review Manager plugin for WordPress, developed by bramdnl, suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2026-1076. This vulnerability exists in all versions up to and including 1.2.2 due to the absence of nonce validation on the plugin's settings page. Nonces are security tokens used to verify that requests originate from legitimate users and not from malicious third parties. Without nonce validation, an attacker can craft a malicious request that, when executed by an authenticated site administrator (e.g., by clicking a link), causes unauthorized changes to the plugin's CSS settings. This attack vector does not require the attacker to be authenticated but does require user interaction. The vulnerability impacts the integrity of the plugin's configuration, potentially allowing attackers to manipulate the appearance or behavior of the site via CSS changes. However, it does not compromise confidentiality or availability. The CVSS v3.1 base score is 4.3, reflecting a medium severity level, with the vector indicating network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality or availability impact, and low integrity impact. No patches or exploits are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly.

The primary impact of this vulnerability is on the integrity of the affected WordPress sites using the Star Review Manager plugin. Attackers can alter CSS settings, potentially defacing the site, misleading users, or degrading user experience. While this does not directly expose sensitive data or disrupt site availability, unauthorized visual or behavioral changes can damage brand reputation and user trust. Since the attack requires tricking an administrator into clicking a malicious link, social engineering is a key factor. Organizations with multiple administrators or less security-aware staff are at higher risk. The vulnerability could also be leveraged as part of a broader attack chain, for example, to facilitate phishing or to insert malicious content indirectly. Given WordPress's widespread use, sites using this plugin globally could be affected, especially if they do not have compensating controls such as web application firewalls or strict administrative access policies.

To mitigate this vulnerability, organizations should immediately update the Star Review Manager plugin to a version that includes nonce validation once available. If no patch is currently released, administrators should consider temporarily disabling the plugin or restricting access to its settings page to trusted users only. Implementing web application firewalls (WAFs) that detect and block CSRF attempts can provide additional protection. Educate site administrators about the risks of clicking unsolicited links, especially those that could trigger administrative actions. Additionally, site owners can implement custom nonce validation or CSRF tokens in the plugin's code if they have development resources. Monitoring administrative actions and logs for unusual changes to plugin settings can help detect exploitation attempts early. Finally, applying the principle of least privilege by limiting administrative accounts reduces the attack surface.