CVE-2026-6710
Cross-Site Request Forgery in Skysa Text Ticker App WordPress Plugin
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| skysa | skysa_text_ticker_app | to 1.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Skysa Text Ticker App plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.4. This occurs because the plugin's function SkysaApps_Admin_AppPage lacks proper nonce validation. As a result, an attacker can trick a site administrator into unknowingly submitting a forged request that modifies the plugin's settings, such as changing the scrolling message text and URL.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to manipulate the plugin's settings by tricking a site administrator into performing an action like clicking a malicious link. The attacker can change the scrolling message text and URL displayed by the plugin, potentially leading to misinformation or redirecting users to malicious sites.