Description
The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplay_option() function, which handles the plugin settings page. The settings form does not include a wp_nonce_field(), and the form handler does not call check_admin_referer() or wp_verify_nonce() before processing the POST request. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that changes the plugin's settings (stored via update_option()), such as the display style used to render the PageRank badge.
Published: 2026-04-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery leading to unauthorized modification of plugin settings
Action: Update plugin
AI Analysis

Impact

The vulnerability allows a remote attacker who is not authenticated to manipulate the settings of the WordPress plugin by sending a POST request to the settings page. Because the code does not validate a nonce, a logged‑in administrator can be tricked into submitting a crafted form that changes plugin options stored in the database, such as the style used to display the PageRank badge. The attack does not grant direct access to the system, but it can alter the appearance or functionality of the website and potentially serve as a foothold if the settings affect visibility or moderation. The weakness is identified as CWE‑352.

Affected Systems

The issue affects the Google PageRank Display plugin for WordPress in all releases up to and including 1.4. Affected systems are WordPress sites that have this plugin installed and have logged‑in administrators who can access the plugin’s settings page.

Risk and Exploitability

With a CVSS score of 4.3 the risk is moderate. No EPSS data is provided, so the current exploitation probability is unknown. The vulnerability is not listed in CISA KEV. An attacker can exploit this by sending a crafted CSRF request to an administrator’s session without needing additional privileges, making it a low‑effort attack vector.

Generated by OpenCVE AI on April 22, 2026 at 09:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Google PageRank Display plugin to the latest version or any release newer than 1.4, where nonce validation has been added.
  • If an upgrade is not immediately feasible, deactivate and uninstall the plugin to eliminate the exposure, or replace it with a reputable alternative that performs necessary checks.
  • Configure the WordPress installation or web application firewall to block POST requests to the plugin settings endpoint except from trusted IP addresses or users, providing a temporary mitigation until the plugin can be updated.

Generated by OpenCVE AI on April 22, 2026 at 09:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Byybora
Byybora google Pagerank Display
Wordpress
Wordpress wordpress
Vendors & Products Byybora
Byybora google Pagerank Display
Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplay_option() function, which handles the plugin settings page. The settings form does not include a wp_nonce_field(), and the form handler does not call check_admin_referer() or wp_verify_nonce() before processing the POST request. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that changes the plugin's settings (stored via update_option()), such as the display style used to render the PageRank badge.
Title Google PageRank Display <= 1.4 - Cross-Site Request Forgery to Settings Update via Settings Page
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Byybora Google Pagerank Display
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T12:07:22.564Z

Reserved: 2026-04-14T18:03:33.157Z

Link: CVE-2026-6294

cve-icon Vulnrichment

Updated: 2026-04-22T12:07:18.863Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T09:16:26.677

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-6294

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:43:50Z

Weaknesses