{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4138", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T15:27:34.203Z", "datePublished": "2026-04-22T07:45:42.794Z", "dateUpdated": "2026-04-22T14:17:42.821Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:42.794Z"}, "affected": [{"vendor": "nofearinc", "product": "DX Unanswered Comments", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings form in the dxuc-unanswered-comments-admin-page.php file. This makes it possible for unauthenticated attackers to modify plugin settings (dxuc_authors_list and dxuc_comment_count) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "DX Unanswered Comments <= 1.7 - Cross-Site Request Forgery via Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e44dbd0e-d6a7-438b-b1bf-a6628734fec4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L25"}, {"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L25"}, {"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L40"}, {"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L40"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2026-04-21T19:05:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T14:16:35.654510Z", "id": "CVE-2026-4138", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:17:42.821Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4138", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T14:16:35.654510Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:17:30.999Z"}}], "cna": {"title": "DX Unanswered Comments <= 1.7 - Cross-Site Request Forgery via Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "nofearinc", "product": "DX Unanswered Comments", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-21T19:05:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e44dbd0e-d6a7-438b-b1bf-a6628734fec4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L25"}, {"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L25"}, {"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L40"}, {"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L40"}], "descriptions": [{"lang": "en", "value": "The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings form in the dxuc-unanswered-comments-admin-page.php file. This makes it possible for unauthenticated attackers to modify plugin settings (dxuc_authors_list and dxuc_comment_count) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:42.794Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4138", "state": "PUBLISHED", "dateUpdated": "2026-04-22T14:17:42.821Z", "dateReserved": "2026-03-13T15:27:34.203Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-22T07:45:42.794Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings form in the dxuc-unanswered-comments-admin-page.php file. This makes it possible for unauthenticated attackers to modify plugin settings (dxuc_authors_list and dxuc_comment_count) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2026-4138", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:24.547", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L13"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L21"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L25"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L40"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L13"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L21"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L25"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L40"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e44dbd0e-d6a7-438b-b1bf-a6628734fec4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "DX Unanswered Comments", "source": "cna", "vendor": "nofearinc"}, "product": "dx_unanswered_comments", "vendor": "nofearinc"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T09:21:53.905392+00:00", "value": {"mitigation_remediation": ["Upgrade the DX Unanswered Comments plugin to a version that includes CSRF protection, or uninstall it if it is no longer needed.", "Limit access to the WordPress administration area to trusted IP addresses and enforce strong authentication practices.", "Monitor administrator activity for unexpected configuration changes and consider implementing custom CSRF token checks in the admin interface."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized plugin settings modification via CSRF"}, "threat_synthesis": {"affected_systems": "All installations of the DX Unanswered Comments plugin version 1.7 or earlier are affected. The flaw is present in the file dxuc\u2011unanswered\u2011comments\u2011admin\u2011page.php within the plugin package.", "description_and_impact": "The DX Unanswered Comments plugin for WordPress is vulnerable to Cross\u2011Site Request Forgery because a nonce is missing on its settings form. This flaw allows any unauthenticated user to send a forged request that changes the plugin\u2019s configuration values such as dxuc_authors_list and dxuc_comment_count. The resulting change does not directly disclose user data, but it grants the attacker the ability to alter comment moderation behavior or display, effectively degrading the site\u2019s integrity and potentially defacing content.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity. The EPSS score is not available, so the current exploitation likelihood is unclear. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be an unauthenticated user crafting a CSRF request that a site administrator would inadvertently execute, usually via a malicious link or image. The lack of nonce validation makes the request trivial to trigger once admin credentials are presented."}}}}, "created": "2026-04-22T09:30:13.552257+00:00", "updated": "2026-04-22T11:43:49.556901+00:00", "vendors": ["nofearinc", "nofearinc$PRODUCT$dx_unanswered_comments", "wordpress", "wordpress$PRODUCT$wordpress"]}