cleantalk
Vulnerabilities and Security Researches

AJAX Report Comments, CVE-2026-8902

CVE, Research URL

CVE-2026-8902

Home page URL

Security reports for AJAX Report Comments

Application

AJAX Report Comments

Published on
Jun 09, 2026
Research Description
The AJAX Report Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation on the rc_options_page function. This makes it possible for unauthenticated attackers to modify plugin settings including link text and markup, success/failure/already-reported messages, comment threshold, cookie duration, reporter-comment toggle, and notification email address, subject, and message body via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 2.0.4.
Status
vulnerable
Previous vulnerability researches
Accordion Slider Lite (CVE-2024-11892) , Jan 12, 2025
New vulnerability
cformsII (CVE-2026-39435) , Jun 11, 2026
Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms (CVE-2026-49106) , Jun 11, 2026
Extra Settings for RocketChat (CVE-2026-8841) , Jun 11, 2026
WP24 Domain Check (CVE-2021-47984) , Jun 11, 2026
SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything! (CVE-2026-49781) , Jun 10, 2026