PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7614 mkhfr CVE debrief

CVE-2026-7614 documents a Cross-Site Request Forgery (CSRF) vulnerability in the Old Posts Highlighter WordPress plugin affecting versions up to and including 1.0.3. The flaw stems from missing or incorrect nonce validation on the `OPH_options` function, allowing unauthenticated attackers to modify plugin configuration settings if they can induce a site administrator to perform an action such as clicking a malicious link. The vulnerability was published on 2026-05-27 with a CVSS 3.1 score of 4.3 (Medium severity). The weakness is classified as CWE-352 (Cross-Site Request Forgery). No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
mkhfr
Product
Old Posts Highlighter
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using the Old Posts Highlighter plugin, security teams managing WordPress deployments, and web application security assessors evaluating WordPress plugin security postures should prioritize review of this vulnerability.

Technical summary

The Old Posts Highlighter plugin for WordPress fails to implement proper nonce validation on its `OPH_options` administrative function. Nonces (numbers used once) are WordPress's standard defense against CSRF attacks by ensuring that state-changing requests originate from legitimate administrative sessions. The absence of this protection allows attackers to craft malicious requests that, when executed by an authenticated administrator through social engineering, modify plugin settings without authorization. The attack requires no authentication from the attacker themselves but depends on successful user interaction with a malicious resource.

Defensive priority

medium

Recommended defensive actions

  • Update the Old Posts Highlighter WordPress plugin to a version newer than 1.0.3 if available, or consider removing the plugin if updates are not forthcoming
  • Implement additional CSRF protections at the web application firewall level for WordPress administrative endpoints
  • Review WordPress administrator user activity logs for unexpected configuration changes to plugin settings around the disclosure date
  • Apply principle of least privilege by limiting administrator account usage and implementing multi-factor authentication for administrative access
  • Consider implementing Content Security Policy headers and same-site cookie attributes to mitigate CSRF attack vectors

Evidence notes

The vulnerability was reported by Wordfence and is documented in the NVD with references to specific source code locations in the plugin's OPH_admin.php file at lines 37 and 163 for both the tagged 1.0.3 release and trunk versions. The CVSS vector confirms network attack vector with low attack complexity, no privileges required, and user interaction required.

Official resources

2026-05-27