Description
The AJAX Report Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation on the rc_options_page function. This makes it possible for unauthenticated attackers to modify plugin settings including link text and markup, success/failure/already-reported messages, comment threshold, cookie duration, reporter-comment toggle, and notification email address, subject, and message body via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-06-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The AJAX Report Comments plugin for WordPress fails to validate nonces in the rc_options_page function, creating a Cross‑Site Request Forgery vulnerability. An attacker who can convince an administrator to click a malicious link can modify any plugin setting. Changes include link text and markup, success or failure messages, comment thresholds, cookie durations, reporter‑comment toggles, and notification email addresses and bodies. This allows an attacker to alter the user experience, redirect notifications, or enable unintended content without authentication.

Affected Systems

Tierrain Innovation’s AJAX Report Comments plugin, versions 2.0.4 and earlier. All WordPress installations that have not updated beyond 2.0.4 are affected.

Risk and Exploitability

The CVSS Base score of 4.3 indicates moderate severity, while the EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog, suggesting an uncertain exploitation frequency. The CSRF attack requires only a crafted URL or link presented to an administrator; no user credentials are needed. A successful forgery results in unauthorized configuration changes that may disrupt site functionality or compromise email notifications.

Generated by OpenCVE AI on June 9, 2026 at 05:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AJAX Report Comments to a fixed version newer than 2.0.4.
  • If an upgrade is not possible, restrict access to the plugin’s settings page so only administrators with appropriate capabilities can modify it.
  • If the plugin is not critical to site operations, uninstall it to eliminate the attack surface.

Generated by OpenCVE AI on June 9, 2026 at 05:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Tierrainnovation
Tierrainnovation ajax Report Comments
Wordpress
Wordpress wordpress
Vendors & Products Tierrainnovation
Tierrainnovation ajax Report Comments
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The AJAX Report Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation on the rc_options_page function. This makes it possible for unauthenticated attackers to modify plugin settings including link text and markup, success/failure/already-reported messages, comment threshold, cookie duration, reporter-comment toggle, and notification email address, subject, and message body via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title AJAX Report Comments <= 2.0.4 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Tierrainnovation Ajax Report Comments
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-09T13:26:53.706Z

Reserved: 2026-05-18T21:16:29.861Z

Link: CVE-2026-8902

cve-icon Vulnrichment

Updated: 2026-06-09T13:26:50.456Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T05:16:40.150

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-8902

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:56:05Z

Weaknesses