Platform
wordpress
Component
google-pagerank-display
Fixed in
1.4.1
1.4.1
The Google PageRank Display plugin for WordPress, versions up to and including 1.4, contains a Cross-Site Request Forgery (XSRF) vulnerability. This flaw allows an attacker to manipulate plugin settings by crafting malicious requests that exploit the lack of nonce validation. Successful exploitation could lead to unauthorized modification of the plugin's configuration, potentially impacting website functionality and data.
An attacker exploiting this XSRF vulnerability can trick an authenticated administrator into unknowingly submitting a malicious POST request to the plugin's settings page. Because the gpdisplayoption() function lacks proper nonce validation, the attacker can alter plugin settings stored via updateoption(). This could involve changing display preferences, enabling or disabling features, or even modifying other configuration parameters. The impact depends on the plugin's functionality and the sensitivity of the settings being modified. While direct data theft is unlikely, the attacker could disrupt website operations or potentially introduce further vulnerabilities through altered configurations.
This vulnerability was published on 2026-04-21. Currently, there are no known public exploits or active campaigns targeting this specific vulnerability. The EPSS score is pending evaluation. While no immediate exploitation is observed, the XSRF nature of the vulnerability means it's relatively easy to exploit once a user is authenticated, making it a persistent risk.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-6294 is to upgrade the Google PageRank Display plugin to a version that addresses the nonce validation issue. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious POST requests to the plugin's settings page. Specifically, look for requests lacking a valid nonce. Additionally, restrict access to the plugin's settings page to authorized administrators only. After upgrading, confirm the fix by attempting to submit a crafted XSRF request to the settings page; the request should be rejected.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6294 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the Google PageRank Display WordPress plugin versions up to 1.4. It allows attackers to manipulate plugin settings by tricking administrators into submitting malicious requests.
You are affected if you are using the Google PageRank Display WordPress plugin version 1.4 or earlier. Upgrade to the latest version to resolve this vulnerability.
The recommended fix is to upgrade the Google PageRank Display plugin to a patched version. As a temporary workaround, implement a WAF rule to filter suspicious POST requests to the plugin's settings page.
Currently, there are no known public exploits or active campaigns targeting CVE-2026-6294, but the XSRF nature of the vulnerability means it remains a potential risk.
Refer to the WordPress plugin repository and associated security advisories for updates and information regarding CVE-2026-6294. Check the plugin author's website for any specific announcements.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.