CVE-2026-6700
Cross-Site Request Forgery in DX Sources WordPress Plugin
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dx_sources | dx_sources_plugin | to 2.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The DX Sources plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 2.0.1. This occurs because the plugin's settings_page_build function lacks proper nonce validation, which is a security measure to verify legitimate requests.
As a result, an unauthenticated attacker can trick a logged-in administrator into submitting a forged request. This means the attacker can cause the administrator to unknowingly modify the plugin's configuration options by, for example, clicking on a malicious link.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the DX Sources plugin for WordPress to a version later than 2.0.1 where the nonce validation issue in the settings_page_build function is fixed.
Additionally, ensure that only trusted administrators have access to the WordPress admin area and educate them to avoid clicking on suspicious links that could trigger forged requests.
How can this vulnerability impact me? :
This vulnerability allows an attacker to modify the configuration settings of the DX Sources plugin without proper authorization. Since the attacker can trick an administrator into performing actions unknowingly, it can lead to unauthorized changes that may affect the security or functionality of the WordPress site.
Although the vulnerability does not directly compromise data confidentiality or availability, it can lead to integrity issues by allowing unauthorized configuration changes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the Cross-Site Request Forgery vulnerability in the DX Sources WordPress plugin impacts compliance with common standards and regulations such as GDPR or HIPAA.