Description
The Remove NoFollow Commenter URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the gmz_comment_settings_save function. This makes it possible for unauthenticated attackers to modify the plugin's comment-display setting via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-06-02
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Remove NoFollow Commenter URL plugin for WordPress is vulnerable to Cross‑Site Request Forgery (CWE‑352) because the gmz_comment_settings_save function lacks proper nonce validation. An attacker can construct a forged request that, if an authenticated site administrator clicks a malicious link, will silently change the plugin's comment‑display setting. The vulnerability can be exploited by unauthenticated attackers with the ability to trick an admin into visiting such a link.

Affected Systems

The vulnerability affects the Remove NoFollow Commenter URL WordPress plugin (author James Muga) in versions 1.0 and earlier. Any site running the plugin at or below this version is considered vulnerable.

Risk and Exploitability

With a CVSS score of 4.3, the risk is low‑to‑medium; the exploit requires no special privileges and only the ability to lure a logged‑in administrator to a crafted link. The flaw is not listed in CISA KEV and the EPSS score is unavailable, indicating no known widespread exploitation yet, but the absence of nonce protection makes the attack trivial if a target is chosen.

Generated by OpenCVE AI on June 2, 2026 at 09:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Remove NoFollow Commenter URL plugin to the latest version that includes proper nonce validation.
  • If an upgrade is not possible, disable or delete the plugin to eliminate the vulnerable code.
  • If disabling the plugin is unacceptable, manually add nonce verification to the gmz_comment_settings_save function or otherwise implement CSRF protection for the settings endpoint.

Generated by OpenCVE AI on June 2, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Jamesmuga
Jamesmuga remove Nofollow Commenter Url
Wordpress
Wordpress wordpress
Vendors & Products Jamesmuga
Jamesmuga remove Nofollow Commenter Url
Wordpress
Wordpress wordpress

Tue, 02 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Remove NoFollow Commenter URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the gmz_comment_settings_save function. This makes it possible for unauthenticated attackers to modify the plugin's comment-display setting via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Remove NoFollow Commenter URL <= 1.0 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Jamesmuga Remove Nofollow Commenter Url
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-02T10:44:49.494Z

Reserved: 2026-05-27T17:23:07.398Z

Link: CVE-2026-9730

cve-icon Vulnrichment

Updated: 2026-06-02T10:44:43.907Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T09:16:17.567

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-9730

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:51:52Z

Weaknesses