{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1070", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-16T20:10:58.280Z", "datePublished": "2026-01-24T07:26:40.963Z", "dateUpdated": "2026-04-08T16:38:04.187Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:04.187Z"}, "affected": [{"vendor": "adzbierajewski", "product": "Alex User Counter", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Alex User Counter <= 6.0 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a5ef5b3-2900-44f0-9e13-66fbdc937b38?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-counter/trunk/user-counter.php#L41"}, {"url": "https://plugins.trac.wordpress.org/browser/user-counter/tags/6.0/user-counter.php#L41"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-01-23T19:22:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T15:29:09.030771Z", "id": "CVE-2026-1070", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T15:45:44.741Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1070", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-16T20:10:58.280Z", "datePublished": "2026-01-24T07:26:40.963Z", "dateUpdated": "2026-01-26T15:45:44.741Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-24T07:26:40.963Z"}, "affected": [{"vendor": "adzbierajewski", "product": "Alex User Counter", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "6.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Alex User Counter <= 6.0 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a5ef5b3-2900-44f0-9e13-66fbdc937b38?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/user-counter/trunk/user-counter.php#L41"}, {"url": "https://plugins.trac.wordpress.org/browser/user-counter/tags/6.0/user-counter.php#L41"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-01-23T19:22:53.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1070", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T15:29:09.030771Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T15:29:36.075Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Alex User Counter para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 6.0, inclusive. Esto se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n alex_user_counter_function(). Esto hace posible que atacantes no autenticados actualicen la configuraci\u00f3n del plugin a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-1070", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-24T08:16:07.780", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/user-counter/tags/6.0/user-counter.php#L41"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/user-counter/trunk/user-counter.php#L41"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a5ef5b3-2900-44f0-9e13-66fbdc937b38?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T21:41:11.465652+00:00", "value": {"mitigation_remediation": ["Update the Alex User Counter plugin to the latest released version that includes nonce validation (any version higher than 6.0).", "If an update is not yet available, disable or remove the settings page of the plugin via the WordPress admin or use a security plugin to block access to /admin.php?tab=alex_user_counter_settings.", "Employ additional CSRF protection by ensuring that all forms, especially those that change configuration, include a unique nonce generated by WordPress and verified on submission."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Request Forgery enabling unauthorized settings modifications"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has the Alex User Counter plugin installed with a version of six point\u00a0zero or earlier is affected. The issue applies to the plugin regardless of other security measures in place, because the plugin itself lacks nonce verification.", "description_and_impact": "The vulnerability arises from a missing nonce validation in the alex_user_counter_function() function of the Alex User Counter WordPress plugin. This flaw permits an attacker to forge HTTP requests that change plugin configuration without authentication. If exploited, an attacker can alter plugin settings such as counters, display options, or potentially inject malicious data, impacting the site's behavior and possibly compromising the user experience.", "risk_and_exploitability": "The CVSS v3.1 score of 4.3 indicates moderate severity. The EPSS score of less than 1 percent suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can leverage the flaw by tricking a site administrator into clicking a crafted link or submitting a forged form, which circumvents authentication controls solely at the plugin level. Because the flaw requires an administrator to be present on the site, the attack vector is primarily social engineering combined with a simple HTTP request."}}}}, "created": "2026-01-26T11:48:24.633394+00:00", "updated": "2026-04-15T21:45:14.151448+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}