Description
The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-01-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Settings Modification
Action: Patch Immediately
AI Analysis

Impact

The Star Review Manager plugin for WordPress contains a Cross‑Site Request Forgery flaw that arises because the settings page omits nonce validation. An attacker who can trick a site administrator into clicking a crafted link can alter the plugin’s CSS settings without any authentication. The change is limited to visual styling but could be leveraged to obscure administrative notices, redirect visitors, or facilitate other social‑engineering tactics. The vulnerability belongs to CWE‑352, indicating missing request forgery protection.

Affected Systems

Any WordPress site that installs Star Review Manager version 1.2.2 or earlier, released by the vendor bramdnl, is susceptible. The flaw exists across all supported WordPress configurations and is not restricted to a specific operating system or hosting environment.

Risk and Exploitability

With a CVSS base score of 4.3, the inherent severity is low to moderate. The EPSS score of less than 1% shows that, according to current exploit probability models, exploitation is unlikely but not impossible. The vulnerability is not currently listed in CISA’s KEV catalog. Exploitation requires only an unauthenticated administrator to click a malicious link, making the attack vector straightforward. Overall risk remains low for well‑maintained sites that apply timely updates, but the ease of execution warrants prompt remediation.

Generated by OpenCVE AI on April 15, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Star Review Manager to the latest version (1.2.3 or newer).
  • If an immediate upgrade is impossible, restrict access to the WordPress admin area from trusted IP addresses or disable the settings page temporarily.
  • Review loaded CSS styles for unexpected changes and monitor for unauthorized modifications.

Generated by OpenCVE AI on April 15, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 24 Jan 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Star Review Manager <= 1.2.2 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:23.540Z

Reserved: 2026-01-16T20:26:21.069Z

Link: CVE-2026-1076

cve-icon Vulnrichment

Updated: 2026-01-26T15:29:33.050Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T08:16:08.140

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:15:12Z

Weaknesses