Ever Compare <= 1.2.3 - Arbitrary Plugin Activation via CSRF
Description
The Ever Compare plugin up to 1.2.3 lacks CSRF protection, allowing attackers to trick admins into activating arbitrary plugins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Ever Compare plugin up to 1.2.3 lacks CSRF protection, allowing attackers to trick admins into activating arbitrary plugins.
Vulnerability
The Ever Compare WordPress plugin through version 1.2.3 does not include a CSRF check when activating plugins. This means that an attacker can craft a malicious request that, when triggered by a logged-in administrator, will activate any plugin already present on the WordPress site without the administrator's consent [1]. The vulnerability is present in all versions prior to 1.2.4.
Exploitation
An attacker must create a malicious link or page that sends a crafted request to the WordPress admin panel. The attacker then needs to trick an authenticated administrator into clicking that link or visiting the malicious page while logged into the WordPress site. No additional authentication or network position is required beyond making the request appear to come from the admin's browser.
Impact
Successful exploitation allows the attacker to activate any plugin that is already installed on the WordPress site. This can lead to further compromise if the activated plugin contains security vulnerabilities or introduces malicious functionality. The attack does not allow arbitrary code execution directly, but it can be a stepping stone for more severe attacks.
Mitigation
The vulnerability is fixed in version 1.2.4 of the Ever Compare plugin [1]. Users should update to this version immediately. There are no known workarounds for older versions; updating is the recommended course of action.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Ever Comparedescription
- Range: <=1.2.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF nonce check on the plugin activation action allows attackers to forge requests on behalf of an authenticated administrator."
Attack vector
An attacker crafts a malicious link or form that, when visited by a logged-in WordPress administrator, triggers a cross-site request to the Ever Compare plugin's activation endpoint [ref_id=1]. Because the plugin lacks a CSRF check [CWE-352], the forged request is processed as if the admin intended it, activating any arbitrary plugin already present on the blog [ref_id=1]. The attack requires no special network position beyond the ability to deliver the crafted request to the victim admin (e.g., via email, social engineering, or a compromised third-party site).
Affected code
The advisory does not specify the exact file or function name; the vulnerable code is the plugin activation handler within the Ever Compare plugin (versions through 1.2.3) that processes plugin activation requests without a CSRF nonce check [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 1.2.4 [ref_id=1]. No patch diff is provided in the bundle, but the remediation would involve adding a CSRF nonce check (e.g., using WordPress's `check_admin_referer()` or `wp_nonce_field()`) to the plugin activation handler so that the request is only processed when accompanied by a valid, user-specific nonce [ref_id=1].
Preconditions
- configThe target site must have the Ever Compare plugin installed and activated (version <= 1.2.3).
- inputThe attacker must trick a logged-in WordPress administrator into visiting a crafted URL or page.
- configThe arbitrary plugin to be activated must already be present on the blog (installed but deactivated).
Reproduction
1. As an administrator, log into a WordPress site running Ever Compare <= 1.2.3 and ensure at least one other plugin is installed but deactivated. 2. As the attacker, craft an HTML page containing a form that submits a POST request to the vulnerable endpoint (e.g., `wp-admin/admin-post.php` with the appropriate action parameter) or a direct GET request if the plugin accepts GET. 3. Trick the logged-in admin into visiting the attacker's page. 4. Observe that the deactivated plugin becomes activated without any confirmation or nonce validation [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/dbabff3e-b021-49ed-aaf3-b73a77d4b354mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.