プラットフォーム
wordpress
コンポーネント
seo-local-rank
修正版
2.2.10
2.2.10
CVE-2026-1085 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the TrueRanker WordPress plugin. This flaw allows unauthenticated attackers to potentially disconnect an administrator's True Ranker account by tricking them into clicking a malicious link. The vulnerability impacts versions of the plugin up to and including 2.2.9. A fix is available in subsequent versions.
The primary impact of this CSRF vulnerability is the potential for unauthorized account disconnection. An attacker could craft a malicious link that, when clicked by an administrator, would trigger a forged request to sign them out of the True Ranker plugin. This could disrupt SEO management activities, potentially leading to lost data or incorrect configurations. While the attacker doesn't gain direct access to sensitive data, the disruption caused by account disconnection can be significant, especially for users heavily reliant on the True Ranker plugin for their SEO workflows. This vulnerability highlights the importance of proper nonce validation in WordPress plugins to prevent unauthorized actions.
CVE-2026-1085 was publicly disclosed on 2026-03-06. There are currently no known public proof-of-concept exploits available. The EPSS score is likely low to medium, given the reliance on social engineering to trick administrators into clicking malicious links. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the TrueRanker plugin, particularly those with administrators who may be susceptible to phishing attacks or social engineering tactics, are at risk. Shared hosting environments where multiple users share the same server and resources are also at increased risk, as a compromised account could potentially impact other websites on the same server.
• wordpress / composer / npm:
grep -r 'seolocalrank-signout' /var/www/html/wp-content/plugins/trueranker/• wordpress / composer / npm:
wp plugin list --status=all | grep trueranker• wordpress / composer / npm:
wp plugin update trueranker --alldisclosure
エクスプロイト状況
EPSS
0.01% (2% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-1085 is to upgrade to a version of the TrueRanker plugin that includes the necessary nonce validation fixes. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the seolocalrank-signout action without proper authentication. Additionally, educate administrators about the risks of clicking on suspicious links and encourage them to verify the authenticity of any requests before performing actions. Regularly review WordPress plugin configurations and ensure they adhere to security best practices.
既知の修正パッチはありません。脆弱性の詳細を詳細に検討し、組織のリスク許容度に基づいて軽減策を講じてください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-1085 is a Cross-Site Request Forgery (CSRF) vulnerability in the TrueRanker WordPress plugin, allowing attackers to potentially disconnect administrator accounts.
You are affected if you are using TrueRanker WordPress plugin versions 2.2.9 or earlier. Upgrade to a patched version to resolve the vulnerability.
Upgrade to the latest version of the TrueRanker plugin, which includes the necessary nonce validation fixes. Consider WAF rules as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the TrueRanker plugin website or WordPress plugin repository for the latest security advisories and updates related to CVE-2026-1085.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。