Description
The Old Posts Highlighter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the OPH_options function. This makes it possible for unauthenticated attackers to update the plugin's configuration settings without authorization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-05-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery flaw exists in the Old Posts Highlighter plugin for WordPress in all releases up to and including 1.0.3. The issue stems from missing or incorrect nonce verification in the OPH_options handler, allowing an attacker to send forged requests that alter the plugin’s settings. Because the change is performed without proper authentication checks, an unauthenticated attacker can modify configuration such as display options or other plugin behavior, potentially impacting site visibility and user experience.

Affected Systems

WordPress sites that have the Old Posts Highlighter plugin installed at version 1.0.3 or earlier. The plugin is distributed under the mkhfr project and is used to highlight archived posts.

Risk and Exploitability

The CVSS base score is 4.3, indicating a moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been observed. Exploitation requires a victim administrator to click a malicious link or otherwise submit a forged request, meaning the attack relies on social engineering rather than automated exploits. The likelihood of attack is moderate due to the human‑interaction prerequisite, but the consequences for settings modification are still significant.

Generated by OpenCVE AI on May 27, 2026 at 07:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Old Posts Highlighter to a version newer than 1.0.3 that fixes the Cross‑Site Request Forgery issue (CWE‑352) by enforcing proper nonce validation.
  • Verify that the plugin’s settings change pages are protected by a valid nonce, thereby addressing the CSRF weakness (CWE‑352). If the check is missing, apply a custom patch or add nonce verification to the OPH_options handler.
  • Educate site administrators about the risk of clicking untrusted links and ensure that settings pages are only accessible to users with administrator privileges to mitigate CSRF attacks.

Generated by OpenCVE AI on May 27, 2026 at 07:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Mkhfr
Mkhfr old Posts Highlighter
Wordpress
Wordpress wordpress
Vendors & Products Mkhfr
Mkhfr old Posts Highlighter
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Old Posts Highlighter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the OPH_options function. This makes it possible for unauthenticated attackers to update the plugin's configuration settings without authorization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Old Posts Highlighter <= 1.0.3 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Mkhfr Old Posts Highlighter
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:33:22.135Z

Reserved: 2026-05-01T13:10:03.590Z

Link: CVE-2026-7614

cve-icon Vulnrichment

Updated: 2026-05-27T10:33:17.009Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:13.753

Modified: 2026-05-27T07:16:13.753

Link: CVE-2026-7614

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:07:01Z

Weaknesses