CVE-2026-6294: CWE-352 Cross-Site Request Forgery (CSRF) in byybora Google PageRank Display
CVE-2026-6294 is a Cross-Site Request Forgery (CSRF) vulnerability in the Google PageRank Display WordPress plugin by byybora, affecting versions up to and including 1. 4. The vulnerability arises because the plugin's settings page lacks nonce validation, allowing an attacker to trick a logged-in administrator into submitting a crafted request that changes plugin settings without proper authorization. This can lead to unauthorized modification of display options for the PageRank badge. The vulnerability has a medium severity with a CVSS score of 4. 3. No official patch or remediation guidance is currently available from the vendor.
AI Analysis
Technical Summary
The Google PageRank Display plugin for WordPress (by byybora) is vulnerable to CSRF due to missing nonce validation in the gpdisplay_option() function, which handles the plugin's settings page. The settings form does not include a wp_nonce_field(), and the form handler does not verify a nonce before processing POST requests. This allows unauthenticated attackers to trick logged-in administrators into changing plugin settings such as display style via crafted requests. The vulnerability affects versions up to and including 1.4. No patch or official remediation has been published as of the data provided.
Potential Impact
An attacker can exploit this vulnerability to cause a logged-in administrator to unknowingly change the plugin's settings, potentially altering how the PageRank badge is displayed. This does not directly impact confidentiality or availability but can lead to unauthorized configuration changes, which may affect site appearance or behavior.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should limit plugin usage to trusted environments and avoid visiting untrusted sites while logged into WordPress admin. Monitoring for updates from the vendor is recommended.
CVE-2026-6294: CWE-352 Cross-Site Request Forgery (CSRF) in byybora Google PageRank Display
Description
CVE-2026-6294 is a Cross-Site Request Forgery (CSRF) vulnerability in the Google PageRank Display WordPress plugin by byybora, affecting versions up to and including 1. 4. The vulnerability arises because the plugin's settings page lacks nonce validation, allowing an attacker to trick a logged-in administrator into submitting a crafted request that changes plugin settings without proper authorization. This can lead to unauthorized modification of display options for the PageRank badge. The vulnerability has a medium severity with a CVSS score of 4. 3. No official patch or remediation guidance is currently available from the vendor.
CVSS v3.1
Score 4.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Google PageRank Display plugin for WordPress (by byybora) is vulnerable to CSRF due to missing nonce validation in the gpdisplay_option() function, which handles the plugin's settings page. The settings form does not include a wp_nonce_field(), and the form handler does not verify a nonce before processing POST requests. This allows unauthenticated attackers to trick logged-in administrators into changing plugin settings such as display style via crafted requests. The vulnerability affects versions up to and including 1.4. No patch or official remediation has been published as of the data provided.
Potential Impact
An attacker can exploit this vulnerability to cause a logged-in administrator to unknowingly change the plugin's settings, potentially altering how the PageRank badge is displayed. This does not directly impact confidentiality or availability but can lead to unauthorized configuration changes, which may affect site appearance or behavior.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should limit plugin usage to trusted environments and avoid visiting untrusted sites while logged into WordPress admin. Monitoring for updates from the vendor is recommended.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-14T18:03:33.157Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8877219fe3cd2cd8093ea
Added to database: 4/22/2026, 8:31:46 AM
Last enriched: 4/29/2026, 11:48:03 AM
Last updated: 6/5/2026, 5:42:04 AM
Views: 62
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.