CVE-2026-1076
Unknown Unknown - Not Provided
CSRF Vulnerability in Star Review Manager Plugin Allows Settings Modification

Publication date: 2026-01-24

Last updated on: 2026-01-24

Assigner: Wordfence

Description
The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-24
Last Modified
2026-01-24
Generated
2026-06-16
AI Q&A
2026-01-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1076
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
star_review_manager star_review_manager to 1.2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Star Review Manager WordPress plugin (up to version 1.2.2) is a Cross-Site Request Forgery (CSRF) issue caused by missing nonce validation on the settings page. This allows an unauthenticated attacker to trick a site administrator into performing an action, such as clicking a malicious link, which then updates the plugin's CSS settings without the administrator's consent.

Impact Analysis

This vulnerability can allow an attacker to modify the plugin's CSS settings by exploiting the administrator's session through a forged request. While it does not directly compromise data confidentiality or availability, it can lead to unauthorized changes in the website's appearance or behavior, potentially affecting site integrity and user trust.

Detection Guidance

Detection can involve monitoring for POST requests to the plugin's settings page that include the 'css_text' parameter, which may indicate attempts to exploit the vulnerability. Since the vulnerability involves missing nonce validation on the settings page, checking for POST requests to 'wp-content/plugins/star-review-manager/admin/settings.php' with 'css_text' in the payload can help identify suspicious activity. Specific commands could include using web server logs or tools like grep to search for such POST requests, for example: grep 'POST.*css_text' /var/log/apache2/access.log or using network monitoring tools to filter HTTP POST requests targeting the plugin's settings page. However, no explicit detection commands are provided in the resources. [1, 2]

Mitigation Strategies

Immediate mitigation steps include updating the Star Review Manager plugin to a version later than 1.2.2 where the vulnerability is fixed, or if an update is not available, disabling or removing the plugin to prevent exploitation. Additionally, restricting access to the plugin's settings page to trusted administrators and implementing nonce validation or other CSRF protections can help mitigate the risk. Since the vulnerability allows unauthenticated attackers to update CSS settings via forged requests, ensuring that only authenticated and authorized users can access the settings page is critical.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1076. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart