Plattform
wordpress
Komponente
newsexo
Behoben in
7.1.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the NewsExo WordPress plugin. This flaw allows an attacker to potentially execute unauthorized actions on behalf of a logged-in user, compromising their account and potentially the entire website. The vulnerability affects versions from 0.0.0 up to and including 7.1. A fix is available in a newer version of the plugin.
The CSRF vulnerability in NewsExo allows an attacker to craft malicious requests that appear to originate from a legitimate user. If successful, an attacker could modify NewsExo settings, create or delete content, or perform other actions that the user is authorized to do. This could lead to data breaches, website defacement, or even complete compromise of the WordPress site. The impact is amplified if the affected user has administrative privileges, granting the attacker broad control over the website.
The vulnerability was publicly disclosed on 2026-04-08. Currently, there are no known public exploits or active campaigns targeting this specific vulnerability. The CVSS score of 4.3 (Medium) indicates a moderate risk. It is not listed on the CISA KEV catalog at the time of writing.
Websites using the NewsExo WordPress plugin, particularly those with user accounts and sensitive data managed through the plugin, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially impact others.
• wordpress / plugin:
grep -r 'newsExo_ajax_nonce' /var/www/html/wp-content/plugins/• wordpress / plugin:
wp plugin list --status=inactive | grep NewsExo• wordpress / plugin: Check for unusual or unauthorized actions within the NewsExo plugin's admin interface.
disclosure
Exploit-Status
EPSS
0.01% (1% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2026-39618 is to upgrade to a patched version of the NewsExo plugin. If upgrading immediately is not feasible, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive forms and actions within the NewsExo plugin. Web Application Firewalls (WAFs) can also be configured to filter out malicious CSRF requests. After upgrading, verify the fix by attempting to submit a request through a different browser or incognito window to ensure that the CSRF protection is in place.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-39618 is a Cross-Site Request Forgery (CSRF) vulnerability affecting NewsExo WordPress plugin versions 0.0.0 through 7.1, allowing attackers to perform unauthorized actions.
If you are using NewsExo WordPress plugin versions 0.0.0 to 7.1, you are potentially affected by this vulnerability. Upgrade immediately.
Upgrade the NewsExo WordPress plugin to the latest available version from the WordPress plugin repository. Consider implementing CSP headers and server-side CSRF protection as temporary workarounds.
There is currently no evidence of active exploitation, but the vulnerability is publicly known and could be exploited.
Check the NewsExo plugin page on the WordPress plugin repository for updates and security advisories.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.