CVE-2026-6294: CWE-352 Cross-Site Request Forgery (CSRF) in byybora Google PageRank Display
CVE-2026-6294 is a Cross-Site Request Forgery (CSRF) vulnerability in the Google PageRank Display WordPress plugin by byybora, affecting versions up to and including 1. 4. The vulnerability arises because the plugin's settings page lacks nonce validation, allowing attackers to trick authenticated administrators into submitting crafted requests that change plugin settings without their consent. This can result in unauthorized modification of display options for the PageRank badge. The vulnerability has a medium severity with a CVSS score of 4. 3. No official patch or remediation guidance is currently available from the vendor.
AI Analysis
Technical Summary
The Google PageRank Display plugin for WordPress suffers from a CSRF vulnerability due to missing nonce validation in the gpdisplay_option() function, which manages the plugin's settings page. Specifically, the settings form does not include a wp_nonce_field(), and the form handler does not verify any nonce via check_admin_referer() or wp_verify_nonce() before processing POST requests. This flaw allows unauthenticated attackers to coerce logged-in administrators into submitting crafted requests that alter plugin settings stored via update_option(), such as the display style of the PageRank badge. The vulnerability affects all versions up to and including 1.4. There is no vendor-provided patch or official fix at this time.
Potential Impact
An attacker can exploit this vulnerability to change the plugin's settings by tricking an authenticated administrator into submitting a malicious request. This could lead to unauthorized changes in how the PageRank badge is displayed on the site. The vulnerability does not allow direct code execution, data disclosure, or denial of service, but it compromises the integrity of the plugin's configuration. The CVSS score of 4.3 reflects a medium impact primarily on integrity with no impact on confidentiality or availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should be cautious about visiting untrusted sites while logged into WordPress with administrative privileges. Implementing manual nonce validation in the plugin code or disabling the plugin temporarily may reduce risk. No official patch or temporary fix is currently available.
CVE-2026-6294: CWE-352 Cross-Site Request Forgery (CSRF) in byybora Google PageRank Display
Description
CVE-2026-6294 is a Cross-Site Request Forgery (CSRF) vulnerability in the Google PageRank Display WordPress plugin by byybora, affecting versions up to and including 1. 4. The vulnerability arises because the plugin's settings page lacks nonce validation, allowing attackers to trick authenticated administrators into submitting crafted requests that change plugin settings without their consent. This can result in unauthorized modification of display options for the PageRank badge. The vulnerability has a medium severity with a CVSS score of 4. 3. No official patch or remediation guidance is currently available from the vendor.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Google PageRank Display plugin for WordPress suffers from a CSRF vulnerability due to missing nonce validation in the gpdisplay_option() function, which manages the plugin's settings page. Specifically, the settings form does not include a wp_nonce_field(), and the form handler does not verify any nonce via check_admin_referer() or wp_verify_nonce() before processing POST requests. This flaw allows unauthenticated attackers to coerce logged-in administrators into submitting crafted requests that alter plugin settings stored via update_option(), such as the display style of the PageRank badge. The vulnerability affects all versions up to and including 1.4. There is no vendor-provided patch or official fix at this time.
Potential Impact
An attacker can exploit this vulnerability to change the plugin's settings by tricking an authenticated administrator into submitting a malicious request. This could lead to unauthorized changes in how the PageRank badge is displayed on the site. The vulnerability does not allow direct code execution, data disclosure, or denial of service, but it compromises the integrity of the plugin's configuration. The CVSS score of 4.3 reflects a medium impact primarily on integrity with no impact on confidentiality or availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should be cautious about visiting untrusted sites while logged into WordPress with administrative privileges. Implementing manual nonce validation in the plugin code or disabling the plugin temporarily may reduce risk. No official patch or temporary fix is currently available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-14T18:03:33.157Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8877219fe3cd2cd8093ea
Added to database: 4/22/2026, 8:31:46 AM
Last enriched: 4/22/2026, 8:46:39 AM
Last updated: 4/22/2026, 9:53:12 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.