CVE-2026-1076 in Star Review Manager Plugin
Summary
by MITRE • 01/24/2026
The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/25/2026
The Star Review Manager plugin for WordPress presents a critical cross-site request forgery vulnerability identified as CVE-2026-1076 affecting all versions through 1.2.2. This vulnerability stems from the absence of proper nonce validation mechanisms within the plugin's administrative settings page, creating a significant security weakness that undermines the integrity of the WordPress plugin ecosystem. The flaw represents a direct violation of web application security best practices and exposes WordPress sites to potential exploitation by malicious actors.
The technical implementation of this vulnerability occurs when the plugin fails to validate nonce tokens during form submissions on its settings page. Nonce validation serves as a cryptographic safeguard that ensures requests originate from legitimate administrative users and prevents unauthorized modifications to plugin configurations. Without this protection, an attacker can craft malicious requests that appear to come from authenticated administrators, leveraging the trust relationship between the WordPress admin interface and the plugin's settings handler. This particular weakness aligns with CWE-352, which specifically addresses cross-site request forgery vulnerabilities in web applications.
The operational impact of this vulnerability extends beyond simple configuration changes, as it allows unauthenticated attackers to modify CSS settings within the plugin's administrative interface. This capability could enable attackers to manipulate the visual presentation of review elements on the website, potentially leading to social engineering attacks or the injection of malicious code through CSS-based techniques. The vulnerability's exploitation requires minimal prerequisites since it does not require authentication, making it particularly dangerous as it can be leveraged through social engineering tactics such as phishing campaigns or by tricking administrators into visiting malicious websites containing crafted links.
Security professionals should recognize this vulnerability as part of the broader ATT&CK framework's privilege escalation and persistence categories, where attackers can leverage weak input validation and insufficient access controls to gain unauthorized administrative capabilities. The vulnerability's presence in the WordPress plugin ecosystem highlights the critical importance of proper security testing and validation of third-party components. Organizations using affected versions should immediately implement mitigations including updating to patched versions, implementing additional access controls, and monitoring for suspicious administrative activities. The incident underscores the necessity of comprehensive security reviews for all plugin components and the implementation of robust validation mechanisms to prevent similar vulnerabilities from compromising web application integrity and user data protection.