Description
The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settings_page_build function. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a forged request that modifies the plugin's configuration options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-05-05
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The DX Sources plugin contains a CSRF flaw caused by missing or incorrect nonce validation in the settings_page_build function. This flaw allows an unauthenticated attacker to trick a logged‑in administrator into submitting a forged request that changes the plugin’s configuration, potentially altering site behavior or enabling further exploitation.

Affected Systems

The vulnerability affects the xavortm DX Sources plugin for WordPress, all versions up to and including 2.0.1. Users running any of these versions should verify the installed version and consider upgrading.

Risk and Exploitability

The CVSS score of 4.3 indicates a low severity, and the EPSS score is not available, so the likelihood of exploitation is uncertain. The flaw is not listed in CISA KEV. The attack requires an administrator to click a malicious link or submit a forged form, making the vector user interaction – a typical CSRF scenario.

Generated by OpenCVE AI on May 5, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the DX Sources plugin to a version that implements proper nonce validation (>= 2.0.2 if available).
  • If an immediate upgrade is not possible, disable or remove the plugin’s settings‑update functionality until a patch is applied or consider uninstalling the plugin if it is not critical.
  • Restrict administrator accounts to trusted users only, enforce two‑factor authentication, and educate site administrators about CSRF risks to prevent malicious request exploitation.

Generated by OpenCVE AI on May 5, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 02:45:00 +0000

Type Values Removed Values Added
Description The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settings_page_build function. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a forged request that modifies the plugin's configuration options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title DX Sources <= 2.0.1 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-05T02:26:56.787Z

Reserved: 2026-04-20T17:26:47.833Z

Link: CVE-2026-6700

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T03:16:00.627

Modified: 2026-05-05T03:16:00.627

Link: CVE-2026-6700

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T03:30:14Z

Weaknesses