CVE-2026-8911

EUVD-2026-32071

27.05.2026, 07:16

The WP AutoBuzz plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This vulnerability bypasses WordPress's DISALLOW_UNFILTERED_HTML protection because the unsanitized value is written directly via update_option at the plugin level, entirely outside of WordPress post content handling.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 6%

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://plugins.trac.wordpress.org/browser/wp-autobuzz/tags/1.1.1/wp-autobuzz.php#L77

https://plugins.trac.wordpress.org/browser/wp-autobuzz/tags/1.1.1/wp-autobuzz.php#L81

https://plugins.trac.wordpress.org/browser/wp-autobuzz/tags/1.1.1/wp-autobuzz.php#L93

https://www.wordfence.com/threat-intel/vulnerabilities/id/481dc27b-0d64-49cc-8d67-50fa53636398?source=cve