Description
The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-01-07
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Settings Modification via CSRF
Action: Update Plugin
AI Analysis

Impact

The WordPress plugin WP Status Notifier allows unauthenticated attackers to alter its settings because the update functionality does not validate the required nonce. This flaw lets any attacker who can coerce a site administrator into visiting a crafted link perform a successful change to the plugin’s configuration. The primary consequence is the compromise of the site’s configuration, potentially exposing sensitive information or enabling further attacks, but it does not directly provide remote code execution or other higher‑level privileges.

Affected Systems

The vulnerability affects all releases of the WP Status Notifier plug‑in up to and including version 1.0. The affected product is the WP Status Notifier plug‑in for WordPress, developed by fulippo. Users running WordPress sites with this plug‑in installed and configured are at risk.

Risk and Exploitability

The CVSS rating of 4.3 indicates a moderate impact, while the EPSS score of less than 1 % shows that the probability of exploitation is currently very low. The flaw is not listed in the CISA KEV catalog. Likely exploitation requires an attacker to persuade a logged‑in administrator to click a malicious link or perform a forged request, after which the plug‑in settings are altered without any additional privileges.

Generated by OpenCVE AI on April 21, 2026 at 00:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Status Notifier to the latest version if a fixed release is available
  • If an update is not available, disable or remove the plug‑in from the WordPress installation
  • Implement additional access controls or use a security plugin to restrict or monitor changes to plug‑in settings
  • Educate site administrators about the risks of clicking unknown links

Generated by OpenCVE AI on April 21, 2026 at 00:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title WP Status Notifier <= 1.0 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:38.867Z

Reserved: 2025-11-21T19:14:28.787Z

Link: CVE-2025-13521

cve-icon Vulnrichment

Updated: 2026-01-07T14:46:42.465Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:48.770

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13521

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:45:23Z

Weaknesses