Description
The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. This makes it possible for unauthenticated attackers to modify plugin settings and update post titles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-01-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Request Forgery permitting unauthorized alteration of plugin settings and post titles
Action: Update Plugin
AI Analysis

Impact

The vulnerability resides in the AdminQuickbar plugin for WordPress. Missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions allows an attacker to submit forged requests. An unauthenticated adversary can trick a site administrator into clicking a malicious link, leading that administrator’s authenticated session to execute the action. The result is that the plugin’s configuration can be changed at will and post titles can be updated without authorization, undermining the integrity of the site’s content and settings.

Affected Systems

WordPress sites that have the AdminQuickbar plugin version 1.9.3 or earlier are affected. The plugin is distributed by rtowebsites and is used as an add‑on to WordPress installations.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% reflects a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no widespread active exploitation. An attacker would need to engage in social engineering to obtain an administrator to initiate the forged request, but once successful the attacker gains non‑privileged control over critical site configuration and content.

Generated by OpenCVE AI on April 20, 2026 at 20:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AdminQuickbar plugin to version 1.9.4 or later where nonce validation is correctly implemented
  • Immediately inform all site administrators that the current plugin revision is vulnerable and advise them to avoid clicking suspicious links until a patch is applied
  • If an upgrade cannot be performed right away, disable or lock the 'saveSettings' and 'renamePost' AJAX handlers, or restrict their execution to authenticated administrators with proper nonce verification

Generated by OpenCVE AI on April 20, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 24 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
Description The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. This makes it possible for unauthenticated attackers to modify plugin settings and update post titles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title AdminQuickbar <= 1.9.3 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:29.705Z

Reserved: 2025-12-12T21:34:10.952Z

Link: CVE-2025-14630

cve-icon Vulnrichment

Updated: 2026-01-26T15:29:25.919Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T09:15:52.053

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14630

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:00:12Z

Weaknesses