{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1877", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T07:11:17.079Z", "datePublished": "2026-03-31T05:28:52.635Z", "dateUpdated": "2026-04-08T17:18:54.457Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:54.457Z"}, "affected": [{"vendor": "johnh10", "product": "Auto Post Scheduler", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.84", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.84. This is due to missing nonce validation on the 'aps_options_page' function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Auto Post Scheduler <= 1.84 - Cross-Site Request Forgery to Stored Cross-Site Scripting via aps_options_page", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd387fe3-ffc5-4981-93d7-2b0b14cc11d5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/auto-post-scheduler/tags/1.84/auto-post-scheduler.php#L200"}, {"url": "https://plugins.trac.wordpress.org/browser/auto-post-scheduler/tags/1.84/auto-post-scheduler.php#L962"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-03-30T16:31:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T13:48:07.749369Z", "id": "CVE-2026-1877", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:48:16.836Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1877", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T13:48:07.749369Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:48:12.175Z"}}], "cna": {"title": "Auto Post Scheduler <= 1.84 - Cross-Site Request Forgery to Stored Cross-Site Scripting via aps_options_page", "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "johnh10", "product": "Auto Post Scheduler", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.84"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-30T16:31:15.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd387fe3-ffc5-4981-93d7-2b0b14cc11d5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/auto-post-scheduler/tags/1.84/auto-post-scheduler.php#L200"}, {"url": "https://plugins.trac.wordpress.org/browser/auto-post-scheduler/tags/1.84/auto-post-scheduler.php#L962"}], "descriptions": [{"lang": "en", "value": "The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.84. This is due to missing nonce validation on the 'aps_options_page' function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-31T05:28:52.635Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1877", "state": "PUBLISHED", "dateUpdated": "2026-03-31T13:48:16.836Z", "dateReserved": "2026-02-04T07:11:17.079Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-31T05:28:52.635Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.84. This is due to missing nonce validation on the 'aps_options_page' function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Auto Post Scheduler para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta e incluyendo la 1.84. Esto se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n 'aps_options_page'. Esto hace posible que atacantes no autenticados actualicen la configuraci\u00f3n e inyecten scripts web maliciosos a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-1877", "lastModified": "2026-04-24T18:11:16.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-31T06:16:00.937", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/auto-post-scheduler/tags/1.84/auto-post-scheduler.php#L200"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/auto-post-scheduler/tags/1.84/auto-post-scheduler.php#L962"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd387fe3-ffc5-4981-93d7-2b0b14cc11d5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.84]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Auto Post Scheduler", "source": "cna", "vendor": "johnh10"}, "product": "auto_post_scheduler", "vendor": "johnh10"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-31T07:21:18.879650+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to the latest available version that removes the nonce check", "Verify post\u2011upgrade that no malicious code remains in the plugin settings", "If upgrading is not possible, disable or delete the plugin until a safe version is released", "Implement an additional CMS\u2011wide CSRF protection plugin to guard against similar issues in other extensions", "Regularly audit administrator activity and review script injections"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Any WordPress site running Auto Post Scheduler version 1.84 or earlier, distributed by johnh10, is affected. Sites that have not applied the latest release are at risk. No data on proprietary modifications or custom builds, so the stated versions should be considered the full scope.", "description_and_impact": "The Auto Post Scheduler plugin is susceptible to a CSRF flaw that omits nonce verification in the aps_options_page handler. If an attacker forces an administrator to submit a forged request, the request can change plugin settings and insert arbitrary JavaScript. The injected script is stored and later served to site visitors or admins, providing stored cross\u2011site scripting that can read cookies, hijack sessions, or modify page content. This weakness, classified as CWE\u201179, enables attackers to compromise the confidentiality and integrity of the website without needing privileged credentials beyond a regular administrator.", "risk_and_exploitability": "The CVSS base score of 6.1 places the vulnerability in the medium category. Because the exploit requires the attacker to successfully induce an admin to click a crafted link, it relies on social engineering rather than automated exploitation, which lowers the real\u2011world exploitation probability. EPSS data is unavailable and the flaw is not listed in the KEV catalog, suggesting it has not yet been widely abused. Nonetheless, the potential for persistent script execution means administrators should treat this as a priority issue and address promptly."}}}}, "created": "2026-03-31T19:56:12.949074+00:00", "updated": "2026-03-31T20:39:28.760082+00:00", "vendors": ["johnh10", "johnh10$PRODUCT$auto_post_scheduler", "wordpress", "wordpress$PRODUCT$wordpress"]}