CVE-2026-6294

Name of the Vulnerable Software and Affected Versions Google PageRank Display versions prior to 1.5

Description Cross-Site Request Forgery occurs due to missing nonce validation in the gpdisplay option() function, which manages the plugin settings page. The settings form lacks a wp nonce field(), and the handler fails to call check admin referer() or wp verify nonce() before processing POST requests. This allows unauthenticated attackers to trick a logged-in administrator into submitting a crafted request to modify plugin settings stored via update option(), such as the display style for the PageRank badge.

Recommendations Update to a version later than 1.4.