Platform
wordpress
Component
dx-unanswered-comments
Fixed in
1.7.1
1.7.1
A Cross-Site Request Forgery (XSRF) vulnerability exists in the DX Unanswered Comments plugin for WordPress, affecting versions up to and including 1.7. This flaw allows unauthenticated attackers to manipulate plugin settings, potentially impacting comment management and author lists. The vulnerability stems from a lack of nonce validation within the plugin's settings form. Updating to a patched version is crucial to remediate this security risk.
Successful exploitation of CVE-2026-4138 allows an attacker to forge requests that appear to originate from an authenticated administrator. This enables them to modify critical plugin settings, specifically dxucauthorslist and dxuccommentcount. An attacker could, for example, alter the list of authors tracked by the plugin, potentially masking malicious comments or manipulating reporting. While the impact is limited to the plugin's functionality, it could be leveraged to disrupt comment moderation workflows and potentially obscure malicious activity. The attack requires tricking a site administrator into clicking a malicious link, making social engineering a key component of exploitation.
CVE-2026-4138 was publicly disclosed on 2026-04-21. No public proof-of-concept (PoC) code is currently available, but the vulnerability's nature makes it relatively straightforward to exploit. The EPSS score is likely to be low to medium, given the reliance on social engineering and the limited scope of the impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4138 is to upgrade the DX Unanswered Comments plugin to a version that addresses the nonce validation issue. Unfortunately, a specific fixed version is not provided in the CVE details. As a temporary workaround, consider implementing strict Content Security Policy (CSP) rules to limit the sources from which the plugin can load resources. Additionally, carefully review any suspicious links or requests received via email or other channels to prevent accidental execution of forged requests. After upgrading, verify the plugin settings to ensure they haven't been tampered with.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4138 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the DX Unanswered Comments WordPress plugin versions up to 1.7, allowing attackers to modify plugin settings via forged requests.
You are affected if your WordPress site uses the DX Unanswered Comments plugin and is running version 1.7 or earlier. Upgrade to a patched version as soon as possible.
Upgrade the DX Unanswered Comments plugin to a version that addresses the nonce validation issue. A specific fixed version is not provided, so monitor for updates.
While no active exploitation is confirmed, the vulnerability is relatively easy to exploit and requires only social engineering, making it a potential target.
Refer to the WordPress plugin repository and the DX Unanswered Comments plugin developer's website for updates and advisories related to CVE-2026-4138.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.