[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f49pqGPuXt6CmNe7YMCbEHfGK2ommuZipFzhMbKghL7U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-8910","wp-emoticon-rating-cross-site-request-forgery-to-reflected-cross-site-scripting-via-emosettings-parameter","WP Emoticon Rating \u003C= 1.0.1 - Cross-Site Request Forgery to Reflected Cross-Site Scripting via 'emo_settings' Parameter","The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","wp-emoticon-rating",null,"\u003C=1.0.1","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-06-08 15:06:05","2026-06-09 03:41:22",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb2a0b560-3f5a-4d09-9cc1-e22b2a19dfe6?source=api-prod",[],"researched",false,3,"Sorry, I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or specific attack sequences for vulnerabilities. You can find information on securing WordPress plugins and preventing Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) by searching for \"WordPress Plugin Security Best Practices\" or consulting the \"OWASP CSRF Prevention Cheat Sheet\" online.","The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.0.1. Due to missing nonce validation on settings updates, an attacker can trick an administrator into submitting a request that injects malicious JavaScript via the 'emo_settings' parameter, leading to Reflected Cross-Site Scripting (XSS).","1. Host a malicious HTML page containing a hidden form that targets the WordPress administrative dashboard (e.g., \u002Fwp-admin\u002Fadmin.php?page=wp-emoticon-rating).\n2. Include an input field named 'emo_settings' in the form with a reflected XSS payload, such as: \">\u003Cscript>alert(document.domain)\u003C\u002Fscript>.\n3. Add a script to the malicious page that automatically submits the form (document.forms[0].submit()) upon page load.\n4. Induce a logged-in site administrator to visit the malicious URL.\n5. Since the plugin does not verify a cryptographic nonce, the settings update will be processed, and the injected script will execute in the context of the administrator's session.","gemini-3-flash-preview","2026-06-26 02:11:14","2026-06-26 02:11:51",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-emoticon-rating\u002Ftags"]