CVE-2026-24966

Vulnerability

Overview

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Copyscape Premium plugin for WordPress, affecting versions from n/a through 1.4.1. The flaw arises from insufficient validation of request origins, enabling an attacker to craft malicious requests that are executed under the authentication of a higher-privileged user [1].

Exploitation

Details

To exploit this vulnerability, an attacker must trick a privileged user (such as an administrator or editor) into performing an action such as clicking a malicious link or visiting a crafted page. No direct authentication is required for the attacker, but the victim must be logged into the WordPress site at the time of the attack [1].

Impact

Successful exploitation could allow an attacker to force the victim to execute unintended actions, such as changing plugin settings or performing other administrative tasks, under the victim's current session. This can lead to unauthorized modifications or data exposure [1].

Mitigation

The vulnerability has been addressed in version 1.4.2 of the plugin. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended security measures is advised. Patchstack users can enable auto-updates for vulnerable plugins [1].