CVE-2026-6294
Received Received - Intake
CSRF Vulnerability in Google PageRank Display WordPress Plugin

Publication date: 2026-04-22

Last updated on: 2026-04-22

Assigner: Wordfence

Description
The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplay_option() function, which handles the plugin settings page. The settings form does not include a wp_nonce_field(), and the form handler does not call check_admin_referer() or wp_verify_nonce() before processing the POST request. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that changes the plugin's settings (stored via update_option()), such as the display style used to render the PageRank badge.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-6294
EUVD
EUVD-2026-24706
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
wordfence page_rank_display to 1.4 (inc)
wordfence pagerank_display to 1.4 (inc)
wordfence google_pagerank_display to 1.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Google PageRank Display plugin for WordPress versions up to and including 1.4 is vulnerable to Cross-Site Request Forgery (CSRF). This happens because the plugin's settings page does not properly validate requests using nonces. Specifically, the gpdisplay_option() function, which handles the settings, lacks nonce validation methods such as wp_nonce_field(), check_admin_referer(), or wp_verify_nonce(). As a result, an attacker can trick a logged-in administrator into submitting a crafted request that changes the plugin's settings without their consent.

Impact Analysis

This vulnerability allows an unauthenticated attacker to manipulate the plugin's settings by tricking an administrator into submitting a malicious request. The attacker can change settings such as the display style of the PageRank badge. While it does not directly compromise data confidentiality or availability, it can lead to unauthorized changes in the website's appearance or behavior, potentially undermining trust or causing confusion.

Detection Guidance

This vulnerability involves missing nonce validation in the Google PageRank Display plugin for WordPress, specifically in the gpdisplay_option() function. Detection would involve checking if the plugin version is up to and including 1.4 and verifying whether the settings form includes a wp_nonce_field() and if the form handler calls check_admin_referer() or wp_verify_nonce().

To detect this on your system, you can check the installed plugin version and inspect the plugin files for the presence or absence of nonce validation functions.

  • Use WP-CLI to check the plugin version: `wp plugin list | grep page-rank-display`
  • Manually inspect the plugin file containing gpdisplay_option() for calls to wp_nonce_field(), check_admin_referer(), or wp_verify_nonce().
  • Monitor HTTP POST requests to the plugin settings page for suspicious or unauthorized changes, possibly by enabling WordPress debug logging or using a web application firewall.
Mitigation Strategies

Immediate mitigation steps include updating the Google PageRank Display plugin to a version later than 1.4 where the nonce validation issue is fixed.

If an update is not available, you should disable or remove the plugin to prevent exploitation.

Additionally, restrict administrative access to trusted users only and consider implementing additional security measures such as a web application firewall to block unauthorized POST requests.

Compliance Impact

The vulnerability allows unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) attacks that can change plugin settings via a crafted request. This could potentially lead to unauthorized changes in the website's behavior or display.

However, there is no direct information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6294. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart