Vulnerabilities ›

CVE-2026-8906

Medium

CWE-352 — Weakness Type

                    Published: May 27, 2026                      ·  Modified: May 30, 2026                      ·  Source: NVD                

CVSS v3

6.1

🔗 NVD Official

📄 Description (English)

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

🤖 AI Executive Summary

CVE-2026-8906 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Promoter WordPress plugin affecting all versions up to 1.3. Unauthenticated attackers can exploit this vulnerability to modify plugin settings and inject malicious scripts if they trick site administrators into clicking a malicious link. With no patch currently available and no exploit publicly disclosed, organizations should implement immediate compensating controls.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 29, 2026 07:33

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi organizations operating WordPress-based websites, particularly in the e-commerce, marketing, and digital services sectors. Government agencies and financial institutions using WordPress for promotional campaigns are at risk. The vulnerability allows attackers to inject malicious content, potentially leading to data theft, malware distribution, or defacement. Saudi organizations in retail, hospitality, and digital marketing sectors using WP Promoter are most vulnerable. The attack requires social engineering, making it particularly dangerous in environments with limited security awareness training.

🏢 Affected Saudi Sectors

E-commerce and Retail Digital Marketing and Advertising Government and Public Sector Financial Services and Banking Hospitality and Tourism Healthcare and Pharmaceuticals Media and Publishing Education

🎯 MITRE ATT&CK Techniques

T1189 - Service Exploitation T1566.002 - Phishing: Spearphishing Link T1539 - Steal Web Session Cookie T1190 - Exploit Public-Facing Application T1547.015 - Boot or Logon Initialization Scripts: Startup Items T1059.007 - Command and Scripting Interpreter: JavaScript

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Audit all WordPress installations to identify WP Promoter plugin usage and version numbers

2. Disable the WP Promoter plugin immediately if not critical to operations

3. If plugin is essential, restrict admin access to trusted IP addresses only

4. Implement Web Application Firewall (WAF) rules to detect and block CSRF attempts

5. Monitor admin activity logs for unauthorized setting changes



Compensating Controls:

1. Enforce strong authentication: implement multi-factor authentication (MFA) for all WordPress administrators

2. Deploy CSRF tokens validation at the WAF level for all admin requests

3. Implement Content Security Policy (CSP) headers to prevent script injection

4. Use WordPress security plugins (e.g., Wordfence, Sucuri) with CSRF protection capabilities

5. Conduct security awareness training emphasizing phishing and malicious link risks

6. Implement request signing and verification for sensitive admin operations



Detection Rules:

1. Monitor for POST requests to wp-admin without valid nonce parameters

2. Alert on admin setting changes originating from external referrers

3. Track failed nonce validation attempts in WordPress logs

4. Monitor for script injection attempts in plugin settings

5. Log all admin account activities with timestamp and source IP

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع تثبيتات WordPress لتحديد استخدام مكون WP Promoter وأرقام الإصدارات

2. تعطيل مكون WP Promoter فوراً إذا لم يكن حرجاً للعمليات

3. إذا كان المكون ضرورياً، قيد الوصول الإداري إلى عناوين IP الموثوقة فقط

4. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن محاولات CSRF وحجبها

5. مراقبة سجلات نشاط المسؤول للتغييرات غير المصرح بها

الضوابط التعويضية:

1. فرض المصادقة القوية: تنفيذ المصادقة متعددة العوامل (MFA) لجميع مسؤولي WordPress

2. نشر التحقق من رموز CSRF على مستوى WAF لجميع طلبات المسؤول

3. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لمنع حقن النصوص البرمجية

4. استخدام مكونات أمان WordPress (مثل Wordfence و Sucuri) مع قدرات حماية CSRF

5. إجراء تدريب على الوعي الأمني يركز على مخاطر التصيد والروابط الضارة

6. تنفيذ توقيع الطلبات والتحقق منها للعمليات الإدارية الحساسة

قواعد الكشف:

1. مراقبة طلبات POST إلى wp-admin بدون معاملات nonce صحيحة

2. تنبيه تغييرات إعدادات المسؤول من مراجع خارجية

3. تتبع محاولات التحقق من nonce الفاشلة في سجلات WordPress

4. مراقبة محاولات حقن النصوص البرمجية في إعدادات المكون

5. تسجيل جميع أنشطة حساب المسؤول مع الطابع الزمني وعنوان IP المصدر

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information Security Policies and Procedures A.6.1.1 - Access Control Policy A.6.2.1 - User Registration and De-registration A.7.2.1 - Information Security Awareness and Training A.12.2.1 - Change Management A.12.6.1 - Management of Technical Vulnerabilities

🔵 SAMA CSF

Governance (GOV-01) - Information Security Governance Governance (GOV-02) - Risk Management Protection (PRO-01) - Access Control Protection (PRO-02) - Data Protection Detection (DET-01) - Security Monitoring and Logging Response (RES-01) - Incident Response

🟡 ISO 27001:2022

A.5.1 - Management Direction for Information Security A.6.1 - Screening A.6.2 - Terms and Conditions of Employment A.7.1 - Prior to Employment A.7.2 - During Employment A.8.1 - User Endpoint Devices A.8.2 - Privileged Access Rights A.8.3 - Information Access Restriction A.12.6 - Management of Technical Vulnerabilities

🟣 PCI DSS v4.0.1

Requirement 6.2 - Security Patches and Updates Requirement 6.5.9 - Cross-Site Request Forgery (CSRF) Requirement 7.1 - Limit Access to System Components Requirement 8.1 - Assign Unique ID to Each User Requirement 8.2 - Strong Authentication Methods

🔗 References & Sources 5

🔗

https://plugins.trac.wordpress.org/browser/wp-promoter/tags/1.3/admin-wp-promoter.php#L120

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/wp-promoter/tags/1.3/admin-wp-promoter.php#L45

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/wp-promoter/tags/1.3/admin-wp-promoter.php#L64

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/wp-promoter/tags/1.3/admin-wp-promoter.php#L66

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/8451fe09-4280-49ef-b088-698cb...

security@wordfence.com

📊 CVSS Score

6.1

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionR — Required

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.1

CWECWE-352

EPSS0.01%

Exploit No

Patch ✗ No

Published 2026-05-27

Source Feed nvd

🇸🇦 Saudi Risk Score

6.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-352

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-8906

Introduce Yourself

Sign In Required