WordPress RD Station plugin <= 5.2.0 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
Description
Multiple CSRF vulnerabilities in RD Station plugin for WordPress up to version 5.2.0 allow attackers to perform unauthorized actions on behalf of authenticated users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple CSRF vulnerabilities in RD Station plugin for WordPress up to version 5.2.0 allow attackers to perform unauthorized actions on behalf of authenticated users.
Vulnerability
The RD Station plugin for WordPress (integracao-rd-station) versions 5.2.0 and earlier contain multiple Cross-Site Request Forgery (CSRF) vulnerabilities. These flaws exist in the plugin's administrative functions, such as settings modifications and integration management, where requests are not validated against a nonce or other CSRF token. The plugin is designed to integrate RD Station Marketing with WordPress, enabling lead tracking, form integrations, and pop-ups. Affected versions include all releases up to and including 5.2.0 [1].
Exploitation
An attacker can exploit these CSRF vulnerabilities by crafting a malicious link or hosting a page that, when visited by an authenticated WordPress administrator (or user with plugin management capabilities), triggers unintended actions. The victim must be logged into the WordPress site. No additional authentication or network position is required for the attacker beyond the ability to deliver the crafted request to the victim. The attack does not require user interaction beyond clicking the link or visiting the malicious page.
Impact
Successful exploitation allows an attacker to perform unauthorized actions within the RD Station plugin on behalf of the victim. This could include modifying plugin settings, changing tracking codes, adding or removing integrations, or altering configuration data. The impact is confined to the plugin's functionality and may lead to data integrity issues, potential data exfiltration through altered tracking, or further compromise of the WordPress site if the attacker leverages the plugin's capabilities. The attacker does not gain direct access to the WordPress admin panel but can manipulate plugin-specific operations.
Mitigation
The vulnerability is addressed in versions later than 5.2.0. Users should update the RD Station plugin to the latest version (5.6.0 as of the reference date) which includes security improvements and fixes for CSRF issues [1]. No official workaround is documented. The plugin is actively maintained, and the vendor recommends keeping the plugin updated. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=5.2.0
- RD Station/RD Station (WordPress plugin)v5Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.