CVE-2026-4138 - Vulnerability Details

- DX Unanswered Comments <= 1.7 - Cross-Site Request Forgery via Settings Update

Description

The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings form in the dxuc-unanswered-comments-admin-page.php file. This makes it possible for unauthenticated attackers to modify plugin settings (dxuc_authors_list and dxuc_comment_count) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published: 2026-04-22

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The DX Unanswered Comments plugin for WordPress is vulnerable to Cross‑Site Request Forgery because a nonce is missing on its settings form. This flaw allows any unauthenticated user to send a forged request that changes the plugin’s configuration values such as dxuc_authors_list and dxuc_comment_count. The resulting change does not directly disclose user data, but it grants the attacker the ability to alter comment moderation behavior or display, effectively degrading the site’s integrity and potentially defacing content.

Affected Systems

All installations of the DX Unanswered Comments plugin version 1.7 or earlier are affected. The flaw is present in the file dxuc‑unanswered‑comments‑admin‑page.php within the plugin package.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The EPSS score is not available, so the current exploitation likelihood is unclear. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be an unauthenticated user crafting a CSRF request that a site administrator would inadvertently execute, usually via a malicious link or image. The lack of nonce validation makes the request trivial to trigger once admin credentials are presented.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nofearinc

DX Unanswered Comments

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.7

No data.

Vendor Product Confidence Versions

Nofearinc

Dx Unanswered Comments

100%

Version	Status	Scheme	Platform
`[0,1.7]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the DX Unanswered Comments plugin to a version that includes CSRF protection, or uninstall it if it is no longer needed.
Limit access to the WordPress administration area to trusted IP addresses and enforce strong authentication practices.
Monitor administrator activity for unexpected configuration changes and consider implementing custom CSRF token checks in the admin interface.

Generated by OpenCVE AI on April 22, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00009.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L13
https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L21
https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L25
https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L40
https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L13
https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L21
https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L25
https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L40
https://www.wordfence.com/threat-intel/vulnerabilities/id/e44dbd0e-d6a7-438b-b1bf-a6628734fec4?source=cve

History

Wed, 22 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nofearinc Nofearinc dx Unanswered Comments Wordpress Wordpress wordpress
Vendors & Products		Nofearinc Nofearinc dx Unanswered Comments Wordpress Wordpress wordpress

Wed, 22 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings form in the dxuc-unanswered-comments-admin-page.php file. This makes it possible for unauthenticated attackers to modify plugin settings (dxuc_authors_list and dxuc_comment_count) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title		DX Unanswered Comments <= 1.7 - Cross-Site Request Forgery via Settings Update
Weaknesses		CWE-352
References		https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L13 https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L21 https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L25 https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L40 https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L13 https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L21 https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L25 https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L40 https://www.wordfence.com/threat-intel/vulnerabilities/id/e44dbd0e-d6a7-438b-b1bf-a6628734fec4?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

Subscriptions

Nofearinc Dx Unanswered Comments

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-22T07:45:42.794Z

Updated: 2026-04-22T14:17:42.821Z

Reserved: 2026-03-13T15:27:34.203Z

Link: CVE-2026-4138

Vulnrichment

Updated: 2026-04-22T14:17:30.999Z

NVD

Status : Received

Published: 2026-04-22T09:16:24.547

Modified: 2026-04-22T09:16:24.547

Link: CVE-2026-4138

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T11:43:49Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object