What the vulnerability does
01Description
The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the create_admin_page() function. This makes it possible for unauthenticated attackers to inject malicious web scripts and update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
02Summary
Sentence To SEO versions 1.0 and earlier are vulnerable to cross-site request forgery (CSRF) attacks. An attacker can craft a malicious webpage that, when visited by a logged-in site administrator, performs unwanted actions on the site without their knowledge. The vulnerability requires user interaction—the admin must visit the attacker's page while authenticated. Impact is limited to low-level data modification.
What an attacker can do
03Attacker Capabilities
Trick a logged-in admin into performing unwanted actions on the site via a malicious webpage.
Potential impact on your site
04Site Impact
Admins could unknowingly modify site settings or data if tricked into visiting a malicious link.
Conditions required to exploit
05Prerequisites
Admin must visit attacker-controlled page while logged into the site.
Key dates
06Disclosure timeline
May 20, 2026
CVE published
May 20, 2026
Record updated