CVE-2026-8911
Cross-Site Request Forgery in WP AutoBuzz WordPress Plugin
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_autobuzz | wp_autobuzz | to 1.1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP AutoBuzz plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 1.1.1. This occurs because the plugin lacks proper nonce validation on a function, allowing attackers to trick a site administrator into performing unintended actions, such as clicking a malicious link.
As a result, unauthenticated attackers can update plugin settings and inject malicious web scripts through forged requests. This bypasses WordPress's usual protection mechanisms because the unsanitized data is written directly via the update_option function at the plugin level, outside of WordPress's normal content handling.
How can this vulnerability impact me? :
This vulnerability can allow attackers to inject malicious scripts into your WordPress site by exploiting the plugin's lack of proper validation. This can lead to unauthorized changes in plugin settings and potentially compromise the integrity and security of your website.
Because the attack requires tricking an administrator into clicking a link, it can result in unauthorized actions being performed without the administrator's knowledge, potentially leading to data leakage or site defacement.