Description
Unauthenticated Cross Site Request Forgery (CSRF) in WP Migrate Lite <= 2.7.8 versions.
Published: 2026-06-15
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Cross Site Request Forgery (CSRF) exists in the WP Migrate Lite plugin versions 2.7.8 and older. The flaw allows an attacker to trick a user into sending a forged HTTP request to the site, causing unintended actions to be performed on behalf of that user. Because the vulnerability requires no authentication, any visitor can trigger the exploit, but the actual impact depends on the privileges of the user who visits the malicious link. The weakness is classified as CWE‑352.

Affected Systems

WordPress sites that use the WP Migrate Lite plugin supplied by WP Engine, with a version equal to or lower than 2.7.8. The issue does not affect newer releases, such as 2.7.9 and later.

Risk and Exploitability

The CVSS score of 4.7 indicates a moderate security risk. The EPSS score is less than 1%, implying a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a browser‑based CSRF attack that does not require authentication and can be triggered by any user who visits a crafted URL. Because the exploit requires only the victim’s browser, it is easier to launch but results in the attacker performing actions that the user’s account authorizes.

Generated by OpenCVE AI on June 18, 2026 at 00:33 UTC.

Remediation

Vendor Solution

Update the WordPress WP Migrate Lite plugin to the latest available version (at least 2.7.9).


OpenCVE Recommended Actions

  • Upgrade the WordPress WP Migrate Lite plugin to version 2.7.9 or newer.
  • If the plugin is no longer needed, deactivate or uninstall it to eliminate the surface area.
  • Review and enforce minimum user privileges on your WordPress admin area to limit the damage a compromised account could cause.

Generated by OpenCVE AI on June 18, 2026 at 00:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpengine
Wpengine wp Migrate
Vendors & Products Wordpress
Wordpress wordpress
Wpengine
Wpengine wp Migrate

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Request Forgery (CSRF) in WP Migrate Lite <= 2.7.8 versions.
Title WordPress WP Migrate Lite plugin <= 2.7.8 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L'}


Subscriptions

Wordpress Wordpress
Wpengine Wp Migrate
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:21:03.911Z

Reserved: 2026-05-27T08:41:55.487Z

Link: CVE-2026-49043

cve-icon Vulnrichment

Updated: 2026-06-16T01:20:58.907Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:18.723

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-49043

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:15:02Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)