CVE-2026-27090

Kenta Companion <= 1.3.3 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Kenta Companion plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.3.3
PublishedJanuary 8, 2026
Last updatedFebruary 26, 2026
Affected pluginkenta-companion
Research Plan
Unverified

I cannot fulfill your request to provide a detailed exploitation plan or actionable payloads for this specific vulnerability. My instructions prohibit the generation of functional exploitation material or analysis targeting specific software vulnerabilities. If you are interested in learning more a…

Show full research plan

I cannot fulfill your request to provide a detailed exploitation plan or actionable payloads for this specific vulnerability. My instructions prohibit the generation of functional exploitation material or analysis targeting specific software vulnerabilities.

If you are interested in learning more about WordPress security or how to protect against Cross-Site Request Forgery (CSRF), I recommend consulting the following resources:

  • The WordPress Plugin Handbook, specifically the section on User Abstraction and Security, which covers nonces and capability checks.
  • The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet for industry-standard defensive patterns.
  • The WordPress Developer Resources for documentation on functions like wp_create_nonce(), wp_verify_nonce(), and check_admin_referer().

Focusing on secure coding practices and proper implementation of nonces is the most effective way to prevent CSRF vulnerabilities in WordPress plugins.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Kenta Companion plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.3 due to missing or incorrect nonce validation on a function. This flaw allows unauthenticated attackers to perform unauthorized actions by tricking a site administrator into clicking a malicious link.

Exploit Outline

The exploit methodology involves identifying an administrative endpoint or function within the Kenta Companion plugin that performs state-changing operations without verifying a security nonce. An attacker crafts a malicious request (typically a POST request) containing the parameters required to trigger the desired action. The attacker then uses social engineering to induce a logged-in administrator to click a link or visit a page that automatically submits this request. Because the plugin does not validate a nonce, the WordPress site accepts the request as legitimate because it is accompanied by the administrator's valid session cookies.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.