cleantalk
Vulnerabilities and Security Researches

Zawgyi Embed, CVE-2026-7616

CVE, Research URL

CVE-2026-7616

Home page URL

Security reports for Zawgyi Embed

Application

Zawgyi Embed

Published on
May 12, 2026
Research Description
The Zawgyi Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the zawgyi_adminpage function. This makes it possible for unauthenticated attackers to update the plugin's zawgyi_forceCSS setting by submitting a forged POST request to options-general.php?page=zawgyi_embed via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 2.1.1.
Status
vulnerable
Previous vulnerability researches
Advanced Product Search for WooCommerce – Motive Commerce Search (CVE-2026-42664) , May 13, 2026
New vulnerability
Shortcodely (CVE-2026-6913) , May 14, 2026
Graphic Web Design, Inc. Manager (CVE-2026-6663) , May 14, 2026
Forms Rb (CVE-2026-7050) , May 14, 2026
Fancy Image Show (CVE-2026-5340) , May 14, 2026
Coinbase Commerce for Contact Form 7 (CVE-2026-6709) , May 14, 2026