CVE-2026-8911

Vulnerability

The WP AutoBuzz plugin for WordPress, in all versions up to and including 1.1.1, is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists because the plugin's settings update function lacks proper nonce validation. Specifically, the code at wp-autobuzz.php lines 77, 81, and 93 [1][2][3] processes user-supplied input without verifying a nonce, allowing an attacker to forge requests that modify plugin options. The affected function writes unsanitized values directly via update_option, bypassing WordPress's DISALLOW_UNFILTERED_HTML protection.

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious link or form that, when clicked or submitted by a logged-in site administrator, triggers a state-changing request to the WP AutoBuzz settings page. The attacker does not need any prior authentication or special privileges; the only requirement is to trick an administrator into performing an action (e.g., clicking a link). The forged request can update arbitrary plugin settings, including those that accept unfiltered HTML.

Impact

Successful exploitation allows the attacker to inject arbitrary web scripts (stored XSS) into the plugin's settings. Because the injected value is stored via update_option and later rendered on the plugin's admin page, the attacker can execute malicious JavaScript in the context of the administrator's browser. This can lead to session hijacking, credential theft, or further compromise of the WordPress site. The impact is limited to the administrative interface, but the attacker gains the ability to perform actions with the administrator's privileges.

Mitigation

As of the publication date (2026-05-27), no fixed version has been released. The vendor has not provided a patch or workaround. Users of the WP AutoBuzz plugin should disable the plugin until a security update is available. There is no indication that this vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.