Vulnerabilities and security researches forgoogle-pagerank-display google-pagerank-display

Apr 24, 2026

CVE, Research URL: CVE-2026-6294
Home page URL: Security reports for Google PageRank Display
Application: Google PageRank Display
Date: Apr 22, 2026
Research Description: The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplay_option() function, which handles the plugin settings page. The settings form does not include a wp_nonce_field(), and the form handler does not call check_admin_referer() or wp_verify_nonce() before processing the POST request. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that changes the plugin's settings (stored via update_option()), such as the display style used to render the PageRank badge.
Affected versions: max 1.4.
Status: vulnerable