CVE-2026-7614
Cross-Site Request Forgery in Old Posts Highlighter WordPress Plugin
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| old_posts_highlighter | plugin | to 1.0.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Old Posts Highlighter plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0.3. This occurs because the plugin's OPH_options function lacks proper nonce validation, which is a security measure to verify legitimate requests.
As a result, an attacker who is not authenticated can trick a site administrator into performing an action, such as clicking on a malicious link, which then allows the attacker to update the plugin's configuration settings without authorization.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized changes to the plugin's configuration settings by attackers without needing to be logged in. If an attacker successfully exploits this, they could manipulate the plugin's behavior or settings, potentially leading to security risks or disruptions on the affected WordPress site.