Plataforma
wordpress
Componente
dx-unanswered-comments
Corregido en
1.7.1
1.7.1
A Cross-Site Request Forgery (XSRF) vulnerability exists in the DX Unanswered Comments plugin for WordPress, affecting versions up to and including 1.7. This flaw allows unauthenticated attackers to manipulate plugin settings, potentially impacting comment management and author lists. The vulnerability stems from a lack of nonce validation within the plugin's settings form. Updating to a patched version is crucial to remediate this security risk.
Successful exploitation of CVE-2026-4138 allows an attacker to forge requests that appear to originate from an authenticated administrator. This enables them to modify critical plugin settings, specifically dxucauthorslist and dxuccommentcount. An attacker could, for example, alter the list of authors tracked by the plugin, potentially masking malicious comments or manipulating reporting. While the impact is limited to the plugin's functionality, it could be leveraged to disrupt comment moderation workflows and potentially obscure malicious activity. The attack requires tricking a site administrator into clicking a malicious link, making social engineering a key component of exploitation.
CVE-2026-4138 was publicly disclosed on 2026-04-21. No public proof-of-concept (PoC) code is currently available, but the vulnerability's nature makes it relatively straightforward to exploit. The EPSS score is likely to be low to medium, given the reliance on social engineering and the limited scope of the impact. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the DX Unanswered Comments plugin, particularly those with administrative accounts that are susceptible to phishing or social engineering attacks, are at risk. Shared hosting environments where multiple websites share the same server resources could also be indirectly affected if one site is compromised and used to launch attacks against others.
• wordpress / composer / npm:
grep -r 'dxuc-unanswered-comments-admin-page.php' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep "DX Unanswered Comments"• wordpress / composer / npm:
wp plugin update --all• generic web: Inspect the plugin's admin page source code for missing nonce attributes in forms.
disclosure
Estado del Exploit
EPSS
0.01% (1% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-4138 is to upgrade the DX Unanswered Comments plugin to a version that addresses the nonce validation issue. Unfortunately, a specific fixed version is not provided in the CVE details. As a temporary workaround, consider implementing strict Content Security Policy (CSP) rules to limit the sources from which the plugin can load resources. Additionally, carefully review any suspicious links or requests received via email or other channels to prevent accidental execution of forged requests. After upgrading, verify the plugin settings to ensure they haven't been tampered with.
No se conoce ningún parche disponible. Por favor, revise los detalles de la vulnerabilidad en profundidad y emplee mitigaciones basadas en la tolerancia al riesgo de su organización. Puede ser mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-4138 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the DX Unanswered Comments WordPress plugin versions up to 1.7, allowing attackers to modify plugin settings via forged requests.
You are affected if your WordPress site uses the DX Unanswered Comments plugin and is running version 1.7 or earlier. Upgrade to a patched version as soon as possible.
Upgrade the DX Unanswered Comments plugin to a version that addresses the nonce validation issue. A specific fixed version is not provided, so monitor for updates.
While no active exploitation is confirmed, the vulnerability is relatively easy to exploit and requires only social engineering, making it a potential target.
Refer to the WordPress plugin repository and the DX Unanswered Comments plugin developer's website for updates and advisories related to CVE-2026-4138.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.