CVE-2026-8941
Description
The CDN Linker lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the ossdl_off_options() function. This makes it possible for unauthenticated attackers to update the plugin's settings — including the CDN URL used to rewrite all static asset references on the site — via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The CDN Linker lite plugin for WordPress up to 1.3.1 is vulnerable to CSRF, allowing unauthenticated attackers to modify plugin settings via a forged request.
Vulnerability
The CDN Linker lite plugin for WordPress, versions up to and including 1.3.1, contains a Cross-Site Request Forgery (CSRF) vulnerability in the ossdl_off_options() function. This function is responsible for saving the plugin's settings, including the CDN URL that rewrites all static asset references on the site. The vulnerability arises from missing or incorrect nonce validation, allowing an attacker to forge requests that modify these settings without the administrator's knowledge [1][2].
Exploitation
An unauthenticated attacker can exploit this vulnerability by crafting a malicious link or form that, when clicked or submitted by a logged-in site administrator, triggers a request to the ossdl_off_options() function. The attacker does not need any prior authentication or special privileges; the only requirement is to trick an administrator into performing an action, such as clicking a link in an email or visiting a compromised page. The forged request can then update the plugin's settings, including the CDN URL.
Impact
Successful exploitation allows the attacker to change the CDN URL used by the plugin. Since the plugin rewrites all static asset references (e.g., JavaScript, CSS, images) to the specified CDN URL, an attacker can point these assets to a malicious server. This can lead to the injection of arbitrary content, such as malicious scripts, into the site's pages, potentially resulting in cross-site scripting (XSS) attacks, data theft, or further compromise of the site and its visitors.
Mitigation
As of the publication date (2026-05-27), no fixed version of the CDN Linker lite plugin has been released. The plugin is described as unsupported by its author, and the lite version may not receive security updates. Site administrators should consider disabling or removing the plugin if it is not essential. As a workaround, administrators should be cautious about clicking links and ensure that all users with administrative privileges are aware of the risk. Implementing additional security measures, such as Web Application Firewall (WAF) rules to block suspicious requests, may help mitigate exploitation.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.3.1
- Range: <=1.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.