What the vulnerability does
01Description
The WordPress Automatic Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.118.0. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to update campaigns and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
02Summary
The WordPress Automatic plugin through version 3.118.0 contains a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts. The vulnerability requires user interaction and network access but does not require authentication. An attacker can craft a malicious link that, when clicked by a site visitor, executes JavaScript in their browser and potentially affects other users or site functionality.
What an attacker can do
03Attacker Capabilities
Inject and execute malicious JavaScript in visitors' browsers to steal data or perform actions on their behalf.
Potential impact on your site
04Site Impact
Visitors clicking malicious links could have their sessions hijacked, credentials stolen, or be redirected to phishing pages.
Conditions required to exploit
05Prerequisites
Victim must click an attacker-crafted link; no authentication required.
Key dates
06Disclosure timeline
August 26, 2025
CVE published
April 8, 2026
Record updated