CVE-2026-9722
4.3 MEDIUMThe Laiser Tag plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5
Published: 2026-06-02 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 4.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- CWE
- CWE-352
Description
The Laiser Tag plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the addOptionsPageFields function. This makes it possible for unauthenticated attackers to update the plugin's settings, including the API key, tag blacklist, relevance threshold, batch size, and tagging toggles, via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-9722
- [Other]https://plugins.trac.wordpress.org/browser/laiser-tag/trunk/include/Tagging.php#L200
- [Other]https://plugins.trac.wordpress.org/browser/laiser-tag/trunk/include/Tagging.php#L212
- [Other]https://plugins.trac.wordpress.org/browser/laiser-tag/trunk/templates/adminOptionPage.php#L91
- [Other]https://www.wordfence.com/threat-intel/vulnerabilities/id/ed3aaa2a-8211-409c-8a75-1ac59e1d55e2?source=cve
Related CVEs
Same CWE
- CVE-2026-49396 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (7.1 HIGH)
- CVE-2026-54359 — MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled
- CVE-2026-48612 — Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’... (8.0 HIGH)
- CVE-2022-47150 — Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery (4.3 MEDIUM)
- CVE-2022-44630 — Cross-Site request forgery (CSRF) vulnerability in YITH YITH WooCommerce Product Slider Carousel allows Cross Site Request Forgery (4.6 MEDIUM)