CVE-2026-6294
CWE-352Published: April 22, 2026· Updated: Apr 22, 2026
Official Description
The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplay_option() function, which handles the plugin settings page. The settings form does not include a wp_nonce_field(), and the form handler does not call check_admin_referer() or wp_verify_nonce() before processing the POST request. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that changes the plugin's settings (stored via update_option()), such as the display style used to render the PageRank badge.
Technical Analysis
CVE-2026-6294 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
All References (5)
Quick Facts
Related CVEs (CWE-352)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-6294 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts