True Ranker <= 2.2.9 - Cross-Site Request Forgery para Desconexão Não Autorizada do True Ranker
Plataforma
wordpress
Componente
seo-local-rank
Corrigido em
2.2.10
2.2.10
CVE-2026-1085 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the TrueRanker WordPress plugin. This flaw allows unauthenticated attackers to potentially disconnect an administrator's True Ranker account by tricking them into clicking a malicious link. The vulnerability impacts versions of the plugin up to and including 2.2.9. A fix is available in subsequent versions.
Detecte esta CVE no seu projeto
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Impacto e Cenários de Ataquetraduzindo…
The primary impact of this CSRF vulnerability is the potential for unauthorized account disconnection. An attacker could craft a malicious link that, when clicked by an administrator, would trigger a forged request to sign them out of the True Ranker plugin. This could disrupt SEO management activities, potentially leading to lost data or incorrect configurations. While the attacker doesn't gain direct access to sensitive data, the disruption caused by account disconnection can be significant, especially for users heavily reliant on the True Ranker plugin for their SEO workflows. This vulnerability highlights the importance of proper nonce validation in WordPress plugins to prevent unauthorized actions.
Contexto de Exploraçãotraduzindo…
CVE-2026-1085 was publicly disclosed on 2026-03-06. There are currently no known public proof-of-concept exploits available. The EPSS score is likely low to medium, given the reliance on social engineering to trick administrators into clicking malicious links. It is not currently listed on the CISA KEV catalog.
Quem Está em Riscotraduzindo…
WordPress websites utilizing the TrueRanker plugin, particularly those with administrators who may be susceptible to phishing attacks or social engineering tactics, are at risk. Shared hosting environments where multiple users share the same server and resources are also at increased risk, as a compromised account could potentially impact other websites on the same server.
Passos de Detecçãotraduzindo…
• wordpress / composer / npm:
grep -r 'seolocalrank-signout' /var/www/html/wp-content/plugins/trueranker/• wordpress / composer / npm:
wp plugin list --status=all | grep trueranker• wordpress / composer / npm:
wp plugin update trueranker --allLinha do Tempo do Ataque
- Disclosure
disclosure
Inteligência de Ameaças
Status do Exploit
EPSS
0.01% (percentil 2%)
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Nenhum — sem autenticação necessária para explorar.
- User Interaction
- Necessária — a vítima deve abrir um arquivo, clicar em um link ou visitar uma página.
- Scope
- Inalterado — impacto limitado ao componente vulnerável.
- Confidentiality
- Nenhum — sem impacto na confidencialidade.
- Integrity
- Baixo — o atacante pode modificar alguns dados com alcance limitado.
- Availability
- Nenhum — sem impacto na disponibilidade.
Software Afetado
Informações do pacote
- Avaliação do plugin
- 4.6
- Requer WordPress
- 3.0.1+
- Compatível até
- 6.9.4
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2026-1085 is to upgrade to a version of the TrueRanker plugin that includes the necessary nonce validation fixes. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the seolocalrank-signout action without proper authentication. Additionally, educate administrators about the risks of clicking on suspicious links and encourage them to verify the authenticity of any requests before performing actions. Regularly review WordPress plugin configurations and ensure they adhere to security best practices.
Como corrigir
Nenhum patch conhecido disponível. Por favor, revise os detalhes da vulnerabilidade em profundidade e empregue mitigações com base na tolerância ao risco da sua organização. Pode ser melhor desinstalar o software afetado e encontrar um substituto.
Boletim de Segurança CVE
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
Perguntas frequentestraduzindo…
What is CVE-2026-1085 — CSRF in TrueRanker WordPress Plugin?
CVE-2026-1085 is a Cross-Site Request Forgery (CSRF) vulnerability in the TrueRanker WordPress plugin, allowing attackers to potentially disconnect administrator accounts.
Am I affected by CVE-2026-1085 in TrueRanker WordPress Plugin?
You are affected if you are using TrueRanker WordPress plugin versions 2.2.9 or earlier. Upgrade to a patched version to resolve the vulnerability.
How do I fix CVE-2026-1085 in TrueRanker WordPress Plugin?
Upgrade to the latest version of the TrueRanker plugin, which includes the necessary nonce validation fixes. Consider WAF rules as a temporary workaround.
Is CVE-2026-1085 being actively exploited?
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Where can I find the official TrueRanker advisory for CVE-2026-1085?
Refer to the TrueRanker plugin website or WordPress plugin repository for the latest security advisories and updates related to CVE-2026-1085.
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.