CVE-2026-9730
Description
The Remove NoFollow Commenter URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the gmz_comment_settings_save function. This makes it possible for unauthenticated attackers to modify the plugin's comment-display setting via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected products
2- Range: <=1.0
- Range: <=1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The gmz_comment_settings_save function lacks proper nonce validation, making it vulnerable to Cross-Site Request Forgery."
Attack vector
An unauthenticated attacker can exploit this vulnerability by tricking a site administrator into clicking a malicious link. This link would trigger a forged request to the gmz_comment_settings_save function, allowing the attacker to modify the plugin's comment-display setting. The vulnerability is present because the function does not correctly validate nonces, which are intended to prevent such forged requests [ref_id=1].
Affected code
The vulnerability resides in the gmz_comment_settings_save function within the gmzxnofollow.php file. This function is responsible for saving comment settings and is susceptible to CSRF attacks due to insufficient nonce validation [ref_id=1].
What the fix does
The patch is not provided in the bundle. The advisory indicates that the vulnerability is due to missing or incorrect nonce validation in the gmz_comment_settings_save function. Remediation would involve implementing proper nonce checks before processing user input to prevent unauthorized modifications.
Preconditions
- authThe attacker does not need to be authenticated.
- inputThe attacker needs to trick a site administrator into clicking a malicious link.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- plugins.trac.wordpress.org/browser/remove-nofollow-commenter-link/tags/1.0/gmzxnofollow.phpnvd
- plugins.trac.wordpress.org/browser/remove-nofollow-commenter-link/tags/1.0/gmzxnofollow.phpnvd
- plugins.trac.wordpress.org/browser/remove-nofollow-commenter-link/tags/1.0/gmzxnofollow.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/c47e170f-f51e-400a-97f3-4da034c193a9nvd
News mentions
1- WordPress: 25 Vulnerabilities Disclosed Together on June 2, 2026Vypr Intelligence · Jun 2, 2026