What the vulnerability does
01Description
The Memory Usage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.98. This is due to missing nonce validation in the wpmemory_install_plugin() function. This makes it possible for unauthenticated attackers to silently install one of the several whitelisted plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
02Summary
A cross-site request forgery (CSRF) vulnerability in the Memory Usage, Memory Limit, PHP and Server Memory Health Check plugin allows an attacker to perform unwanted actions on behalf of an authenticated user. The vulnerability requires user interaction—typically clicking a malicious link—but does not require the attacker to be authenticated. An attacker can modify site settings or data with the privileges of the user who visits the malicious page.
What an attacker can do
03Attacker Capabilities
Perform unwanted actions (like changing settings) on behalf of a logged-in site user.
Potential impact on your site
04Site Impact
Site settings or data could be altered without the user's knowledge if they visit an attacker's page while logged in.
Conditions required to exploit
05Prerequisites
An authenticated site user must visit a page controlled by the attacker (e.g., click a malicious link).
Key dates
06Disclosure timeline
July 27, 2025
CVE published
April 8, 2026
Record updated