anonhaven
Ad

CVE-2026-3903

MEDIUM CVSS 3.1: 4.3
Updated Mar 11, 2026
WordPress
Parameter Value
CVSS 4.3 (MEDIUM)
Type CWE-352 (Cross-Site Request Forgery (CSRF) (Подделка межсайтовых запросов))
Vendor WordPress
Public PoC No

The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing nonce validation on the postConfirmOauth() function. This makes it possible for unauthenticated attackers to disconnect the plugin's OAuth/SSO connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Attack Parameters

Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Privileges Required
None
Права не нужны
User Interaction
Required
Нужно действие пользователя

Impact Assessment

Confidentiality
None
Нет утечки данных
Integrity
Low
Частичная модификация данных
Availability
None
Нет нарушения работы

CVSS Vector v3.1

Weakness Type (CWE)

CWE-352 Cross-Site Request Forgery (CSRF) (Подделка межсайтовых запросов)

References 2

https://plugins.trac.wordpress.org/changeset/3441222/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/913a94ad-f425-4d24-9e…
security@wordfence.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-3906

WordPress

4.3

CVE-2026-3492

WordPress

6.4

CVE-2026-3231

WordPress

7.2

CVE-2026-1454

WordPress

7.2

CVE-2026-2918

WordPress

6.4