CVE-2026-1070

Name of the Vulnerable Software and Affected Versions Alex User Counter plugin for WordPress versions prior to 6.1

Description The software is susceptible to Cross-Site Request Forgery (CSRF). This is caused by a lack of nonce validation within the alex user counter function() function. An unauthenticated attacker could potentially update the plugin settings by forging a request, provided they can trick a site administrator into performing an action, such as clicking a malicious link.

Recommendations Update the Alex User Counter plugin to version 6.1 or later. As a temporary workaround, consider disabling the alex user counter function() function until a patch is available.