What the vulnerability does
01Description
Cross-Site Request Forgery (CSRF) vulnerability in WP Moose Kenta Companion kenta-companion allows Cross Site Request Forgery.This issue affects Kenta Companion: from n/a through <= 1.3.3.
CVE-2026-27090
MEDIUM
CVE-2026-27090: WordPress Kenta Companion plugin <= 1.3.3 - Cross Site Request Forgery (CSRF) vulnerability
CVSS base score
4.3/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Explanation of Vulnerability in Simple Terms
02Summary
Kenta Companion versions up to 1.3.3 contain a cross-site request forgery (CSRF) vulnerability that allows attackers to perform unwanted actions on behalf of site visitors. An attacker can craft a malicious link or page that, when visited by a logged-in user, triggers unintended changes. The vulnerability requires user interaction and does not expose sensitive data, but can modify site content or settings.
What an attacker can do
03Attacker Capabilities
Trick a logged-in user into performing unwanted actions on the site, such as changing settings or creating content.
Potential impact on your site
04Site Impact
Site visitors could unknowingly make changes to your site's content or configuration if tricked into visiting a malicious page.
Conditions required to exploit
05Prerequisites
A logged-in site user must visit an attacker-controlled page or click a malicious link.
Key dates
06Disclosure timeline
February 19, 2026
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2025-48307 WordPress SEO For Images plugin <= 1.0.0 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability
CVE-2024-24798 WordPress Debug Plugin <= 1.10 is vulnerable to Cross Site Request Forgery (CSRF)
CVE-2025-23673 WordPress Email on Publish plugin <= 1.5 - CSRF to Stored XSS vulnerability
CVE-2023-35038 WordPress WP PDF Generator Plugin <= 1.2.2 is vulnerable to Cross Site Request Forgery (CSRF)
CVE-2024-2820 DedeCMS baidunews.php cross-site request forgery
