CVE Catalog

CVE-2026-8902

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.01%

2th percentile - higher than 2% of all known CVEs

Summary

The AJAX Report Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.0.4. This is due to missing or incorrect nonce validation on the rc_options_page function.

Risk Assessment

Unauthenticated attackers can modify plugin settings, which may lead to unauthorized changes to content and notification settings. This poses a risk to the integrity and security of the website.

Recommendation

It is recommended to update the plugin to the latest version to mitigate this vulnerability. Additionally, implementing CSRF protection mechanisms is advisable.

Original NVD description (English source)

The AJAX Report Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation on the rc_options_page function. This makes it possible for unauthenticated attackers to modify plugin settings including link text and markup, success/failure/already-reported messages, comment threshold, cookie duration, reporter-comment toggle, and notification email address, subject, and message body via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS