{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1393", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-23T20:59:09.378Z", "datePublished": "2026-03-21T03:26:36.075Z", "dateUpdated": "2026-04-08T16:37:48.473Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:48.473Z"}, "affected": [{"vendor": "omarnas", "product": "Add Google Social Profiles to Knowledge Graph Box", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Add Google Social Profiles to Knowledge Graph Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Knowledge Graph settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Add Google Social Profiles to Knowledge Graph Box <= 1.0 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19339b9f-8242-44a5-8239-7ef347ffbaad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/add-google-social-profiles-to-knowledge-graph-box/trunk/gsp-options.php#L10"}, {"url": "https://plugins.trac.wordpress.org/browser/add-google-social-profiles-to-knowledge-graph-box/tags/1.0/gsp-options.php#L10"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2026-03-20T15:19:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T18:10:19.561753Z", "id": "CVE-2026-1393", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T18:11:10.710Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1393", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T18:10:19.561753Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T18:10:58.222Z"}}], "cna": {"title": "Add Google Social Profiles to Knowledge Graph Box <= 1.0 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "omarnas", "product": "Add Google Social Profiles to Knowledge Graph Box", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:19:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19339b9f-8242-44a5-8239-7ef347ffbaad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/add-google-social-profiles-to-knowledge-graph-box/trunk/gsp-options.php#L10"}, {"url": "https://plugins.trac.wordpress.org/browser/add-google-social-profiles-to-knowledge-graph-box/tags/1.0/gsp-options.php#L10"}], "descriptions": [{"lang": "en", "value": "The Add Google Social Profiles to Knowledge Graph Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Knowledge Graph settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:48.473Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1393", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:48.473Z", "dateReserved": "2026-01-23T20:59:09.378Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:36.075Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Add Google Social Profiles to Knowledge Graph Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Knowledge Graph settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Add Google Social Profiles to Knowledge Graph Box para WordPress es vulnerable a falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 1.0, inclusive. Esto se debe a la falta de validaci\u00f3n de nonce en la funcionalidad de actualizaci\u00f3n de ajustes. Esto hace posible que atacantes no autenticados actualicen los ajustes de Knowledge Graph del plugin a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-1393", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:16:53.380", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/add-google-social-profiles-to-knowledge-graph-box/tags/1.0/gsp-options.php#L10"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/add-google-social-profiles-to-knowledge-graph-box/trunk/gsp-options.php#L10"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19339b9f-8242-44a5-8239-7ef347ffbaad?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Add Google Social Profiles to Knowledge Graph Box", "source": "cna", "vendor": "omarnas"}, "product": "add_google_social_profiles_to_knowledge_graph_box", "vendor": "omarnas"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T06:28:16.913294+00:00", "value": {"mitigation_remediation": ["Update the Add Google Social Profiles to Knowledge Graph Box plugin to the latest version, ensuring that nonce validation is in place.", "If a new version is not yet available, disable or remove the plugin from the WordPress installation to eliminate the risk.", "Apply timely security updates to WordPress core and other plugins to reduce the attack surface.", "Restrict administrator accounts to trusted users, enforce strong passwords, and apply the principle of least privilege.", "If possible, implement a web application firewall or CSRF protection plugin to block forged requests from reaching the plugin settings endpoint."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Settings Change"}, "threat_synthesis": {"affected_systems": "Plugins deployed on WordPress sites that use omarnas\u2019 Add Google Social Profiles to Knowledge Graph Box, version 1.0 or earlier. Any installation of the plugin with those versions is affected while an administrator has editor or admin privileges and can be tricked into clicking a malicious link.", "description_and_impact": "The Add Google Social Profiles to Knowledge Graph Box plugin for WordPress contains a Cross\u2011Site Request Forgery vulnerability caused by the omission of nonce validation in its settings update routine. Because the plugin accepts options changes without verifying the request source, an unauthenticated attacker can craft a forged request that an administrator will unknowingly submit, allowing the attacker to modify the Knowledge Graph settings. Such a configuration change could lead to incorrect metadata being published or even injection of malicious links, compromising the integrity of published content.", "risk_and_exploitability": "The CVSS base score for this issue is 4.3, indicating moderate risk. EPSS information is not published and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to target a site administrator and socially engineer a click on a crafted link, which limits the scope to sites with the vulnerable plugin installed. While the attack vector is user interaction, the lack of nonce checks means any forged request can be accepted, making the exploitation straightforward once a victim is lured. The overall risk is moderate but should be mitigated promptly on affected installations."}}}}, "created": "2026-03-23T09:50:58.659619+00:00", "updated": "2026-03-25T14:42:33.529826+00:00", "vendors": ["omarnas", "omarnas$PRODUCT$add_google_social_profiles_to_knowledge_graph_box", "wordpress", "wordpress$PRODUCT$wordpress"]}