{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27090", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:24:05.456Z", "datePublished": "2026-02-19T08:27:11.584Z", "dateUpdated": "2026-04-28T16:15:01.674Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "kenta-companion", "product": "Kenta Companion", "vendor": "WP Moose", "versions": [{"lessThanOrEqual": "1.3.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:14.074Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in WP Moose Kenta Companion kenta-companion allows Cross Site Request Forgery.<p>This issue affects Kenta Companion: from n/a through <= 1.3.3.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in WP Moose Kenta Companion kenta-companion allows Cross Site Request Forgery.This issue affects Kenta Companion: from n/a through <= 1.3.3."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:01.674Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/kenta-companion/vulnerability/wordpress-kenta-companion-plugin-1-3-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress Kenta Companion plugin <= 1.3.3 - Cross Site Request Forgery (CSRF) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T16:23:03.655865Z", "id": "CVE-2026-27090", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:56:16.392Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27090", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T16:23:03.655865Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T16:21:21.864Z"}}], "cna": {"title": "WordPress Kenta Companion plugin <= 1.3.3 - Cross Site Request Forgery (CSRF) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WP Moose", "product": "Kenta Companion", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.3.3"}], "packageName": "kenta-companion", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:14.074Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/kenta-companion/vulnerability/wordpress-kenta-companion-plugin-1-3-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in WP Moose Kenta Companion kenta-companion allows Cross Site Request Forgery.This issue affects Kenta Companion: from n/a through <= 1.3.3.", "supportingMedia": [{"type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in WP Moose Kenta Companion kenta-companion allows Cross Site Request Forgery.<p>This issue affects Kenta Companion: from n/a through <= 1.3.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:01.674Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27090", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:15:01.674Z", "dateReserved": "2026-02-17T13:24:05.456Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:11.584Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in WP Moose Kenta Companion kenta-companion allows Cross Site Request Forgery.This issue affects Kenta Companion: from n/a through <= 1.3.3."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en WP Moose Kenta Companion kenta-companion permite la falsificaci\u00f3n de petici\u00f3n en sitios cruzados. Este problema afecta a Kenta Companion: desde n/a hasta &lt;= 1.3.3."}], "id": "CVE-2026-27090", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:27.910", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/kenta-companion/vulnerability/wordpress-kenta-companion-plugin-1-3-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Kenta Companion", "source": "cna", "vendor": "WP Moose"}, "product": "kenta_companion", "vendor": "wp_moose"}], "analysis": {"en": {"generated_at": "2026-04-16T16:56:37.325813+00:00", "value": {"mitigation_remediation": ["Upgrade the Kenta Companion plugin to the latest release that addresses the CSRF flaw.", "If an immediate upgrade is not feasible, limit the plugin\u2019s administrative functions to users with the highest privileged roles and enforce a manual CSRF token for any state\u2011changing request.", "Deploy a comprehensive WordPress security solution such as Wordfence or Sucuri to detect and block malicious requests and monitor suspicious activity."], "summary": {"action": "Update", "impact": "Potential unauthorized actions via CSRF"}, "threat_synthesis": {"affected_systems": "WP Moose Kenta Companion plugin versions 1.3.3 and earlier. Any WordPress site with this plugin installed is affected.", "description_and_impact": "The vulnerability is a CSRF flaw in the Kenta Companion plugin for WordPress. An authenticated user who follows a malicious link can be tricked into making unintended changes to site settings or content. This weakness is due to missing CSRF protection, identified as CWE\u2011352.", "risk_and_exploitability": "Based on the description, the attack vector is inferred to require a logged\u2011in user to click a crafted link, making it a social\u2011engineering attack. The CVSS score of 4.3 indicates low severity, while the EPSS score of less than 1% suggests a low likelihood of real\u2011world exploitation. The vulnerability is not listed in the KEV catalog. Because the plugin lacks a proper CSRF token, the request can be delivered without direct user interaction beyond clicking a link."}}}}, "created": "2026-02-20T10:07:59.273174+00:00", "updated": "2026-04-16T17:00:09.388332+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wp_moose", "wp_moose$PRODUCT$kenta_companion"]}