CVE-2026-8910

WP Emoticon Rating <= 1.0.1 - Cross-Site Request Forgery to Reflected Cross-Site Scripting via 'emo_settings' Parameter

mediumCross-Site Request Forgery (CSRF)
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.1
PublishedJune 8, 2026
Last updatedJune 9, 2026
Affected pluginwp-emoticon-rating
Research Plan
Unverified

Sorry, I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or specific attack sequences for vulnerabilities. You can find information on securing WordPress plugins and preventing Cross-Site Request Forgery (CSRF) and Cross-Site Scripting…

Show full research plan

Sorry, I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or specific attack sequences for vulnerabilities. You can find information on securing WordPress plugins and preventing Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) by searching for "WordPress Plugin Security Best Practices" or consulting the "OWASP CSRF Prevention Cheat Sheet" online.

Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.0.1. Due to missing nonce validation on settings updates, an attacker can trick an administrator into submitting a request that injects malicious JavaScript via the 'emo_settings' parameter, leading to Reflected Cross-Site Scripting (XSS).

Exploit Outline

1. Host a malicious HTML page containing a hidden form that targets the WordPress administrative dashboard (e.g., /wp-admin/admin.php?page=wp-emoticon-rating). 2. Include an input field named 'emo_settings' in the form with a reflected XSS payload, such as: "><script>alert(document.domain)</script>. 3. Add a script to the malicious page that automatically submits the form (document.forms[0].submit()) upon page load. 4. Induce a logged-in site administrator to visit the malicious URL. 5. Since the plugin does not verify a cryptographic nonce, the settings update will be processed, and the injected script will execute in the context of the administrator's session.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.