WordPress WP Hide Post Plugin <= 2.0.10 is vulnerable to Cross Site Request Forgery (CSRF)
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
CSRF vulnerability in WP Hide Post plugin <=2.0.10 allows attackers to perform unauthorized actions; plugin removed from directory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF vulnerability in WP Hide Post plugin <=2.0.10 allows attackers to perform unauthorized actions; plugin removed from directory.
Vulnerability
The WP Hide Post plugin for WordPress versions 2.0.10 and earlier contains a Cross-Site Request Forgery (CSRF) vulnerability. The plugin does not properly verify nonces or other CSRF tokens, allowing an attacker to trick an authenticated administrator into unknowingly executing unwanted actions on the plugin's settings or functionality. The plugin has been closed and removed from the WordPress.org plugin directory due to a security issue, and no patched version is available.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious link or form that, when clicked by an authenticated WordPress administrator while logged into the admin panel, triggers a forged request to the vulnerable plugin endpoint. No special network position is required; the attacker simply needs to host the malicious payload and induce the victim to interact with it, typically through social engineering (e.g., a deceptive email or webpage). The attacker does not need to authenticate to the WordPress site, as the exploit relies on the victim's existing session.
Impact
Successful exploitation allows an attacker to perform any action that the victim administrator can perform on the WP Hide Post plugin, such as hiding/unhiding posts or modifying plugin settings. The impact is limited to the plugin's functionality; however, if the plugin has privileged operations (e.g., modifying post visibility), the attacker could disrupt content management. The scope is within the WordPress admin interface, and the attacker does not gain direct access to the server or other components.
Mitigation
No patched version is available. The plugin has been removed from the WordPress.org repository as of July 27, 2023, and users are strongly advised to uninstall the plugin immediately. There is no known workaround other than removing the plugin. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication. [1]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <= 2.0.10
- scriptburn.com/WP Hide Postv5Range: n/a
Patches
0wp-hide-postThis plugin has been removed from the WordPress.org directory on 2023-07-27 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.