CVE-2026-6700

Name of the Vulnerable Software and Affected Versions DX Sources versions prior to 2.0.2

Description The DX Sources plugin for WordPress is subject to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a victim into performing actions they did not intend to. This occurs due to missing or incorrect nonce validation in the settings page build() function. Unauthenticated attackers can deceive a logged-in administrator into submitting a forged request, which allows the attacker to modify the plugin's configuration options if the administrator is tricked into clicking a malicious link.

Recommendations Update to version 2.0.2 or later. As a temporary workaround, restrict access to the settings page build() function to minimize the risk of exploitation.