Platform
wordpress
Component
star-review-manager
Opgelost in
1.2.3
CVE-2026-1076 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Star Review Manager plugin for WordPress. This flaw allows unauthenticated attackers to modify the plugin's CSS settings by crafting malicious requests, potentially impacting site aesthetics and user experience. The vulnerability impacts versions 0.0.0 through 1.2.2, and a patch is expected to be released by the plugin developer.
The primary impact of this CSRF vulnerability lies in the ability of an attacker to manipulate the Star Review Manager plugin's CSS settings. While this might seem cosmetic, it could be leveraged for more malicious purposes. An attacker could alter the plugin's appearance to mislead users, potentially concealing legitimate content or injecting malicious elements. Furthermore, if the CSS settings control other aspects of the plugin's functionality, an attacker could potentially gain further control. This vulnerability highlights the importance of proper nonce validation in WordPress plugins to prevent unauthorized modifications.
This vulnerability was publicly disclosed on January 24, 2026. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is pending evaluation, but the relatively straightforward nature of CSRF exploitation suggests a potential for medium-level exploitation probability. Monitor CISA and WordPress security advisories for updates.
WordPress websites utilizing the Star Review Manager plugin, particularly those with shared hosting environments or lacking robust access controls, are at increased risk. Sites where administrators frequently click on links from untrusted sources are also more vulnerable.
• wordpress / composer / npm:
grep -r 'settings_update' /var/www/html/wp-content/plugins/star-review-manager/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'star-review-manager'• wordpress / composer / npm:
wp plugin list --status=active | grep 'star-review-manager'disclosure
Exploit Status
EPSS
0.01% (0% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-1076 is to upgrade the Star Review Manager plugin to a version that includes the necessary nonce validation. Until an updated version is available, consider implementing a Web Application Firewall (WAF) rule to block requests to the plugin's settings page that lack proper authentication. Additionally, restrict access to the settings page to authorized administrators only. Monitor WordPress logs for suspicious activity related to the plugin’s settings, looking for unexpected changes to CSS files.
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid grondig en pas mitigaties toe op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te vinden.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-1076 is a Cross-Site Request Forgery (CSRF) vulnerability in the Star Review Manager WordPress plugin, allowing attackers to modify CSS settings without authentication.
You are affected if your WordPress site uses the Star Review Manager plugin in versions 0.0.0 through 1.2.2.
Upgrade the Star Review Manager plugin to a patched version that includes nonce validation. Until then, use a WAF or restrict access to the settings page.
There is no confirmed active exploitation of CVE-2026-1076 at this time, but the vulnerability's nature suggests potential for exploitation.
Check the Star Review Manager plugin's official website or WordPress plugin repository for the latest advisory and patch information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.