Description
The auto making JSON-LD plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the amJL_certification function. This makes it possible for unauthenticated attackers to update the plugin's license key option, and subsequently trigger license validation and pro feature installation on the victim site without the administrator's consent via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation can trigger downstream calls to amJL_is_license_valid() and amJL_download_and_install_pro_features(), meaning the impact extends beyond a simple settings change to unauthorized installation of plugin components.
Published: 2026-05-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the auto making JSON‑LD WordPress plugin, where the amJL_certification function performs no or incorrect nonce validation. This flaw allows an unauthenticated user to forge a request that updates the plugin’s license key option. The attacker can then trigger downstream calls to amJL_is_license_valid() and amJL_download_and_install_pro_features(), effectively installing plugin components on the victim site without administrator consent. The weakness is classified as a CSRF flaw (CWE-352) with moderate severity.

Affected Systems

The affected product is the auto making JSON‑LD WordPress plugin with versions up to and including 4.5.3. Users who have installed any of these versions are at risk unless they have applied a fix.

Risk and Exploitability

This flaw carries a CVSS score of 4.3, indicating moderate impact. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker could exploit the CSRF vulnerability remotely by simply convincing an administrator to visit a specially crafted link or by embedding the forged request in HTML or JavaScript. Once triggered, the attacker gains the ability to alter a sensitive configuration setting and install additional plugin components, potentially escalating privileges or compromising site integrity.

Generated by OpenCVE AI on May 27, 2026 at 07:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the auto making JSON‑LD plugin to a version newer than 4.5.3 where nonce validation is implemented correctly
  • If an upgrade is not immediately possible, disable the plugin’s certification settings page for non‑administrators using a role‑based access control rule or by removing the relevant menu item from the admin interface
  • Implement a web application firewall rule to block POST requests to the plugin’s certification endpoint that lack a valid nonce or that come from unknown sources

Generated by OpenCVE AI on May 27, 2026 at 07:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Nakamura1458
Nakamura1458 auto Making Json-ld
Wordpress
Wordpress wordpress
Vendors & Products Nakamura1458
Nakamura1458 auto Making Json-ld
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The auto making JSON-LD plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the amJL_certification function. This makes it possible for unauthenticated attackers to update the plugin's license key option, and subsequently trigger license validation and pro feature installation on the victim site without the administrator's consent via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation can trigger downstream calls to amJL_is_license_valid() and amJL_download_and_install_pro_features(), meaning the impact extends beyond a simple settings change to unauthorized installation of plugin components.
Title auto making JSON-LD <= 4.5.3 - Cross-Site Request Forgery to Plugin Certification Settings via Nonce Validation Bypass
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Nakamura1458 Auto Making Json-ld
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:39:06.064Z

Reserved: 2026-05-19T12:01:19.071Z

Link: CVE-2026-8938

cve-icon Vulnrichment

Updated: 2026-05-27T10:39:00.548Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:18.453

Modified: 2026-05-27T07:16:18.453

Link: CVE-2026-8938

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:07:41Z

Weaknesses