cleantalk
Vulnerabilities and Security Researches

Google PageRank Display, CVE-2026-6294

CVE, Research URL

CVE-2026-6294

Home page URL

Security reports for Google PageRank Display

Application

Google PageRank Display

Published on
Apr 22, 2026
Research Description
The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplay_option() function, which handles the plugin settings page. The settings form does not include a wp_nonce_field(), and the form handler does not call check_admin_referer() or wp_verify_nonce() before processing the POST request. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that changes the plugin's settings (stored via update_option()), such as the display style used to render the PageRank badge.
Affected versions
max 1.4.
Status
vulnerable
Previous vulnerability researches
Livemesh SiteOrigin Widgets (CVE-2025-8780) , Apr 23, 2026
Livemesh SiteOrigin Widgets (0dc46a2ee5ef036dfed29524d3f3f1875466101d) , Jun 07, 2024
Livemesh SiteOrigin Widgets (CVE-2022-4974) , Nov 14, 2024
New vulnerability
SlideShowPro SC (CVE-2026-5767) , Apr 24, 2026
Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) (CVE-2025-5092) , Apr 24, 2026
LightGallery WP (CVE-2025-5092) , Apr 24, 2026
Private WP suite (CVE-2026-2719) , Apr 24, 2026
Sitekit (CVE-2025-58229) , Apr 24, 2026