CVE-2026-8938

Vulnerability

The auto making JSON-LD plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 4.5.3. The vulnerability resides in the amJL_certification function within settings/certification.php [1][2]. The function lacks proper nonce validation, allowing unauthenticated attackers to forge requests that modify the plugin's license key option and trigger subsequent actions.

Exploitation

An attacker can exploit this CSRF vulnerability by crafting a malicious link or form that, when clicked or submitted by a logged-in administrator, sends a forged POST request to the vulnerable endpoint. The request sets the license key and triggers the amJL_is_license_valid() and amJL_download_and_install_pro_features() functions, leading to unauthorized installation of pro plugin components. No authentication is required for the attacker; only the victim administrator must perform an action such as clicking a link.

Impact

Successful exploitation allows an attacker to update the plugin's license key and initiate the download and installation of pro features. This can result in unauthorized modification of plugin settings and the installation of arbitrary plugin components, potentially leading to further compromise of the WordPress site, including remote code execution if the installed pro features contain malicious code.

Mitigation

As of the publication date (2026-05-27), no fixed version has been released. Users should consider disabling the plugin until a patch is available. Alternatively, implement a web application firewall rule to block requests to the vulnerable endpoint or enforce CSRF protection via additional security plugins. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.