CVE-2026-9722
Description
The Laiser Tag plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the addOptionsPageFields function. This makes it possible for unauthenticated attackers to update the plugin's settings, including the API key, tag blacklist, relevance threshold, batch size, and tagging toggles, via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected products
1- Range: <=1.2.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin fails to properly validate nonces when updating settings, allowing unauthorized modification."
Attack vector
An unauthenticated attacker can craft a malicious request to update plugin settings, including sensitive information like API keys. This request can be delivered to a victim user, such as a site administrator, through social engineering, like tricking them into clicking a link. If the administrator performs the action, the plugin's settings are updated without proper authorization [ref_id=1].
Affected code
The vulnerability lies within the `addOptionsPageFields` function in the Laiser Tag plugin. This function handles the updating of plugin settings via POST requests. The code does not include sufficient nonce validation, allowing any user to submit requests that modify these settings [ref_id=1].
What the fix does
The patch is not provided in the bundle. The advisory indicates that the vulnerability is fixed in version 1.2.6. Users should update to the latest version to remediate this issue. The fix likely involves implementing nonce validation on the `addOptionsPageFields` function to ensure that only authenticated and authorized users can modify plugin settings.
Preconditions
- configThe Laiser Tag plugin must be installed and active on the WordPress site.
- authThe attacker does not require any authentication.
- inputThe victim user must be tricked into interacting with a malicious link or request.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- plugins.trac.wordpress.org/browser/laiser-tag/trunk/include/Tagging.phpnvd
- plugins.trac.wordpress.org/browser/laiser-tag/trunk/include/Tagging.phpnvd
- plugins.trac.wordpress.org/browser/laiser-tag/trunk/templates/adminOptionPage.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/ed3aaa2a-8211-409c-8a75-1ac59e1d55e2nvd
News mentions
1- WordPress: 25 Vulnerabilities Disclosed Together on June 2, 2026Vypr Intelligence · Jun 2, 2026