CVE-2026-4138
CSRF Vulnerability in DX Unanswered Comments WordPress Plugin
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dx_unanswered_comments | dx_unanswered_comments | to 1.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to modify plugin settings via Cross-Site Request Forgery by tricking a site administrator into performing an action. This could potentially lead to unauthorized changes in the website's behavior or data handling.
However, there is no specific information provided about how this vulnerability directly impacts compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
The DX Unanswered Comments plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 1.7.
This vulnerability exists because the plugin's settings form in the dxuc-unanswered-comments-admin-page.php file lacks nonce validation.
As a result, an attacker who is not authenticated can trick a site administrator into performing an action, such as clicking on a malicious link, which allows the attacker to modify plugin settings without permission.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to change the settings of the DX Unanswered Comments plugin by tricking an administrator into clicking a crafted link.
Specifically, the attacker can modify settings such as dxuc_authors_list and dxuc_comment_count, potentially altering how the plugin behaves on the site.
While this does not directly compromise data confidentiality or availability, it can lead to unauthorized changes in plugin behavior, which might affect site functionality or user experience.