Description
The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-06-09
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Emoticon Rating plugin contains a CSRF vulnerability caused by missing or incorrect nonce validation. An unauthenticated attacker can submit a forged request that updates the "emo_settings" parameter with arbitrary content. When the site administrator later accesses the settings page, the injected content is reflected back into the browser and executed, leading to cross‑site scripting within the admin context.

Affected Systems

Any WordPress installation that has the WP Emoticon Rating plugin from vendor rahulbhangale, versions 1.0.1 or earlier.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation. The attack requires a social‑engineering link that causes an administrator to unknowingly send the forged request, after which the attacker can trigger script execution in the administrator's browser.

Generated by OpenCVE AI on June 9, 2026 at 06:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Emoticon Rating plugin to version 1.0.2 or later to restore proper nonce validation.
  • Restrict the settings page so that only users with appropriate capabilities can modify it, limiting the effect of any accidental CSRF request.
  • Deploy a web‑application firewall or security plugin to monitor and block suspicious CSRF requests and XSS payloads.

Generated by OpenCVE AI on June 9, 2026 at 06:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Rahulbhangale
Rahulbhangale wp Emoticon Rating
Wordpress
Wordpress wordpress
Vendors & Products Rahulbhangale
Rahulbhangale wp Emoticon Rating
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title WP Emoticon Rating <= 1.0.1 - Cross-Site Request Forgery to Reflected Cross-Site Scripting via 'emo_settings' Parameter
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Rahulbhangale Wp Emoticon Rating
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-09T14:10:48.801Z

Reserved: 2026-05-18T21:50:49.407Z

Link: CVE-2026-8910

cve-icon Vulnrichment

Updated: 2026-06-09T14:10:32.479Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T05:16:40.760

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-8910

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:55:59Z

Weaknesses