CVE-2026-7614

Vulnerability

The Old Posts Highlighter plugin for WordPress versions up to and including 1.0.3 is vulnerable to Cross-Site Request Forgery (CSRF) in the OPH_options function. The function lacks proper nonce validation, as seen in the admin page code at OPH_admin.php [1][2]. This allows an attacker to forge requests that modify the plugin's configuration settings without the administrator's consent.

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious request that updates the plugin's settings. The attacker must trick a logged-in site administrator into performing an action, such as clicking a link or visiting a specially crafted page. No other authentication or privileges are required for the forged request itself.

Impact

Successful exploitation enables the attacker to alter the plugin's configuration, including parameters such as publication intervals, minimum article age, display options, and excluded categories. This could lead to unauthorized changes in how the plugin highlights old posts, potentially affecting site functionality or user experience. The impact is limited to configuration changes; no direct data exfiltration or remote code execution is described.

Mitigation

As of the publication date, no patched version has been released. The vendor has not provided a fix or workaround in the available references [1][2]. Site administrators should consider disabling the plugin until a security update is available, or implement additional CSRF protections such as using a Web Application Firewall (WAF) or security plugin that adds nonce validation.