CVE-2026-9732
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Author Request), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
WordPress EmergencyWP plugin vulnerable to CSRF, allowing unauthenticated attackers to modify critical settings by tricking administrators.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress EmergencyWP plugin vulnerable to CSRF, allowing unauthenticated attackers to modify critical settings by tricking administrators.
Vulnerability
The EmergencyWP plugin for WordPress, in all versions up to and including 1.4.2, suffers from a Cross-Site Request Forgery vulnerability. This is due to insufficient nonce validation within the form_settings_ui function, which handles saving plugin settings. The vulnerability is present in the procedural include scope of this function.
Exploitation
An unauthenticated attacker can exploit this vulnerability by crafting a malicious request, typically via a link, and tricking a site administrator into interacting with it. This interaction triggers the forged request, allowing the attacker to modify plugin settings without proper authorization.
Impact
Successful exploitation allows an unauthenticated attacker to modify critical plugin settings. This includes altering the minimum access role, the data-erasure-on-uninstall flag, life-check timing, the mandator email address, the confirmation page ID, and date/time formats. Modifying role capabilities can lead to privilege escalation.
Mitigation
The EmergencyWP plugin has been closed and removed from the WordPress.org plugin directory as of May 29, 2026, due to an author request [4]. No patched version will be distributed through the official directory. Users who have this plugin installed should uninstall it immediately. As the plugin is no longer available, there are no further updates or official workarounds.
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.4.2
Patches
0emergencywpThis plugin has been removed from the WordPress.org directory on 2026-05-29 (reason: Author Request). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- plugins.trac.wordpress.org/browser/emergencywp/tags/1.4.2/pages/emergencywp/setting_tabs/settings_main.phpnvd
- plugins.trac.wordpress.org/browser/emergencywp/tags/1.4.2/pages/emergencywp/setting_tabs/settings_main.phpnvd
- plugins.trac.wordpress.org/browser/emergencywp/tags/1.4.2/pages/emergencywp/setting_tabs/settings_main.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/6013f592-4cff-4b94-968d-6f66e84368d0nvd
News mentions
1- WordPress: 25 Plugin and Theme Vulnerabilities Disclosed in Single BatchVypr Intelligence · Jun 3, 2026