Description
Cross-Site Request Forgery (CSRF) vulnerability in WP Moose Kenta Companion kenta-companion allows Cross Site Request Forgery.This issue affects Kenta Companion: from n/a through <= 1.3.3.
Published: 2026-02-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential unauthorized actions via CSRF
Action: Update
AI Analysis

Impact

The vulnerability is a CSRF flaw in the Kenta Companion plugin for WordPress. An authenticated user who follows a malicious link can be tricked into making unintended changes to site settings or content. This weakness is due to missing CSRF protection, identified as CWE‑352.

Affected Systems

WP Moose Kenta Companion plugin versions 1.3.3 and earlier. Any WordPress site with this plugin installed is affected.

Risk and Exploitability

Based on the description, the attack vector is inferred to require a logged‑in user to click a crafted link, making it a social‑engineering attack. The CVSS score of 4.3 indicates low severity, while the EPSS score of less than 1% suggests a low likelihood of real‑world exploitation. The vulnerability is not listed in the KEV catalog. Because the plugin lacks a proper CSRF token, the request can be delivered without direct user interaction beyond clicking a link.

Generated by OpenCVE AI on April 16, 2026 at 16:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kenta Companion plugin to the latest release that addresses the CSRF flaw.
  • If an immediate upgrade is not feasible, limit the plugin’s administrative functions to users with the highest privileged roles and enforce a manual CSRF token for any state‑changing request.
  • Deploy a comprehensive WordPress security solution such as Wordfence or Sucuri to detect and block malicious requests and monitor suspicious activity.

Generated by OpenCVE AI on April 16, 2026 at 16:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Moose
Wp Moose kenta Companion
Vendors & Products Wordpress
Wordpress wordpress
Wp Moose
Wp Moose kenta Companion

Fri, 20 Feb 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WP Moose Kenta Companion kenta-companion allows Cross Site Request Forgery.This issue affects Kenta Companion: from n/a through <= 1.3.3.
Title WordPress Kenta Companion plugin <= 1.3.3 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
Wp Moose Kenta Companion
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:15:01.674Z

Reserved: 2026-02-17T13:24:05.456Z

Link: CVE-2026-27090

cve-icon Vulnrichment

Updated: 2026-02-19T16:21:21.864Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:27.910

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27090

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:00:09Z

Weaknesses