CVE-2026-8938
Cross-Site Request Forgery in Auto Making JSON-LD WordPress Plugin
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | auto_making_json_ld_plugin | to 4.5.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The auto making JSON-LD plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 4.5.3. This vulnerability exists because the plugin's amJL_certification function lacks proper nonce validation. As a result, an attacker can trick a site administrator into performing an action, such as clicking a malicious link, which allows the attacker to update the plugin's license key option without authorization.
Exploitation of this vulnerability can lead to unauthorized triggering of license validation and installation of pro features on the victim's site, extending the impact beyond just changing settings to installing plugin components without consent.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to update the license key option of the plugin on your WordPress site without your consent.
As a consequence, the attacker can trigger license validation and install pro features of the plugin without authorization, potentially altering your siteβs functionality or introducing unwanted components.