CVE-2026-6294
CSRF Vulnerability in Google PageRank Display WordPress Plugin
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | page_rank_display | to 1.4 (inc) |
| wordfence | pagerank_display | to 1.4 (inc) |
| wordfence | google_pagerank_display | to 1.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Google PageRank Display plugin for WordPress versions up to and including 1.4 is vulnerable to Cross-Site Request Forgery (CSRF). This happens because the plugin's settings page does not properly validate requests using nonces. Specifically, the gpdisplay_option() function, which handles the settings, lacks nonce validation methods such as wp_nonce_field(), check_admin_referer(), or wp_verify_nonce(). As a result, an attacker can trick a logged-in administrator into submitting a crafted request that changes the plugin's settings without their consent.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to manipulate the plugin's settings by tricking an administrator into submitting a malicious request. The attacker can change settings such as the display style of the PageRank badge. While it does not directly compromise data confidentiality or availability, it can lead to unauthorized changes in the website's appearance or behavior, potentially undermining trust or causing confusion.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves missing nonce validation in the Google PageRank Display plugin for WordPress, specifically in the gpdisplay_option() function. Detection would involve checking if the plugin version is up to and including 1.4 and verifying whether the settings form includes a wp_nonce_field() and if the form handler calls check_admin_referer() or wp_verify_nonce().
To detect this on your system, you can check the installed plugin version and inspect the plugin files for the presence or absence of nonce validation functions.
- Use WP-CLI to check the plugin version: `wp plugin list | grep page-rank-display`
- Manually inspect the plugin file containing gpdisplay_option() for calls to wp_nonce_field(), check_admin_referer(), or wp_verify_nonce().
- Monitor HTTP POST requests to the plugin settings page for suspicious or unauthorized changes, possibly by enabling WordPress debug logging or using a web application firewall.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Google PageRank Display plugin to a version later than 1.4 where the nonce validation issue is fixed.
If an update is not available, you should disable or remove the plugin to prevent exploitation.
Additionally, restrict administrative access to trusted users only and consider implementing additional security measures such as a web application firewall to block unauthorized POST requests.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) attacks that can change plugin settings via a crafted request. This could potentially lead to unauthorized changes in the website's behavior or display.
However, there is no direct information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.