CVE-2026-8911 is a CSRF vulnerability in the WP AutoBuzz plugin for WordPress, affecting all versions up to 1.1.1. The issue arises from missing or incorrect nonce validation on a plugin function, enabling attackers to forge requests that update plugin settings and inject malicious web scripts. This bypasses WordPress's DISALLOW_UNFILTERED_HTML protection because the plugin writes unsanitized values directly using update_option, outside the standard WordPress content handling mechanisms. The vulnerability requires user interaction (UI:R) and has a CVSS 3.1 base score of 6.1, indicating medium severity. No patch or official remediation is currently documented.

An attacker can exploit this vulnerability by tricking a site administrator into clicking a crafted link, causing unauthorized changes to plugin settings and injection of malicious scripts. This can lead to limited confidentiality and integrity impacts on the affected WordPress site. Availability is not impacted. The vulnerability bypasses built-in WordPress protections, increasing risk. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should exercise caution when interacting with untrusted links and consider disabling or removing the WP AutoBuzz plugin if feasible. Monitor official godlessons or WordPress plugin repositories for updates addressing this vulnerability.