CVE-2026-7616
Cross-Site Request Forgery in Zawgyi Embed WordPress Plugin
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Zawgyi Embed plugin for WordPress to a version later than 2.1.1 where the nonce validation issue in the zawgyi_adminpage function is fixed.
Additionally, avoid clicking on suspicious links and ensure that site administrators are aware of the risk of Cross-Site Request Forgery attacks.
Can you explain this vulnerability to me?
The Zawgyi Embed plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 2.1.1. This vulnerability exists because the plugin's zawgyi_adminpage function lacks proper nonce validation. As a result, an attacker can trick a site administrator into submitting a forged POST request that updates the plugin's zawgyi_forceCSS setting without the administrator's intention.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to modify the plugin's settings by tricking an administrator into performing an action, such as clicking a malicious link. Although it does not directly compromise confidentiality or availability, it can lead to unauthorized changes in the plugin's behavior, potentially affecting the website's appearance or functionality.