Platform
wordpress
Component
newsexo
Fixed in
7.1.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in the NewsExo WordPress plugin, potentially allowing attackers to perform unauthorized actions on behalf of authenticated users. This vulnerability affects versions from 0.0.0 up to and including 7.1. The vulnerability has been publicly disclosed and a fix is available via plugin update.
The CSRF vulnerability allows an attacker to craft malicious requests that appear to originate from a legitimate user of the NewsExo plugin. Successful exploitation could lead to unauthorized modifications of NewsExo settings, content creation, or other actions depending on the plugin's functionality and user permissions. This could result in defacement of the website, data breaches, or other malicious activities. The impact is amplified if the NewsExo plugin is used in conjunction with other plugins or themes that have sensitive functionality.
This vulnerability was publicly disclosed on 2026-04-08. No public proof-of-concept (POC) code has been identified at this time. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score indicates a moderate risk of exploitation.
Exploit Status
EPSS
0.01% (1% percentile)
CVSS Vector
The primary mitigation is to upgrade the NewsExo plugin to a version that addresses this vulnerability. Check the WordPress plugin repository for the latest version. As a temporary workaround, consider implementing strict Content Security Policy (CSP) headers to restrict the sources from which the browser can load resources. Additionally, implement server-side CSRF protection mechanisms, such as checking the Referer header or using a unique token for each request. After upgrade, verify the plugin's functionality and security settings.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39618 is a Cross-Site Request Forgery (CSRF) vulnerability affecting NewsExo WordPress plugin versions 0.0.0 through 7.1, allowing attackers to perform unauthorized actions.
If you are using NewsExo WordPress plugin versions 0.0.0 to 7.1, you are potentially affected by this vulnerability. Upgrade immediately.
Upgrade the NewsExo WordPress plugin to the latest available version from the WordPress plugin repository. Consider implementing CSP headers and server-side CSRF protection as temporary workarounds.
There is currently no evidence of active exploitation, but the vulnerability is publicly known and could be exploited.
Check the NewsExo plugin page on the WordPress plugin repository for updates and security advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.