Description
The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the jqFootnotes_options_subpanel function. This makes it possible for unauthenticated attackers to update the plugin's settings with arbitrary values that, because option values such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title are echoed unescaped into frontend page content, can be chained into persistent Cross-Site Scripting affecting all site visitors via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation of the CSRF vulnerability can be chained into stored Cross-Site Scripting, as the overwritten option values are persisted via update_option() without sanitization and rendered unescaped on the frontend.
Published: 2026-06-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability exists because the jqFootnotes_options_subpanel function does not enforce proper nonce validation. As a result, any unauthenticated user can send a crafted request that changes the plugin’s options. Because options such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title are output directly into page content without escaping, the attacker can store malicious scripts that execute for all visitors.

Affected Systems

The affected product is the jQuery Hover Footnotes WordPress plugin, all releases up to and including version 1.4. This includes installations that have not yet applied the latest patch or a newer version.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the lack of an EPSS score or KEV listing suggests no known mass exploitation at present. Exploitation requires that an administrator unknowingly performs a request that includes the forged parameters, so the attack vector is primarily social engineering of a privileged user. The impact is that any site visitor could receive injected JavaScript payloads, compromising confidentiality and integrity of the site’s front‑end.

Generated by OpenCVE AI on June 9, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the jQuery Hover Footnotes plugin to version 1.5 or later.
  • If an update is not immediately possible, disable or delete the plugin to prevent further exploitation.
  • Review and sanitize any plugin configuration values, ensuring they are properly escaped when output to the front end.

Generated by OpenCVE AI on June 9, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Weaverlancegmailcom
Weaverlancegmailcom jquery Hover Footnotes
Wordpress
Wordpress wordpress
Vendors & Products Weaverlancegmailcom
Weaverlancegmailcom jquery Hover Footnotes
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the jqFootnotes_options_subpanel function. This makes it possible for unauthenticated attackers to update the plugin's settings with arbitrary values that, because option values such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title are echoed unescaped into frontend page content, can be chained into persistent Cross-Site Scripting affecting all site visitors via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation of the CSRF vulnerability can be chained into stored Cross-Site Scripting, as the overwritten option values are persisted via update_option() without sanitization and rendered unescaped on the frontend.
Title jQuery Hover Footnotes <= 1.4 - Cross-Site Request Forgery to Plugin Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Weaverlancegmailcom Jquery Hover Footnotes
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-09T19:10:34.333Z

Reserved: 2026-06-01T13:54:24.821Z

Link: CVE-2026-10553

cve-icon Vulnrichment

Updated: 2026-06-09T19:09:46.607Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T05:16:29.830

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-10553

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:55:58Z

Weaknesses