PatchSiren cyber security CVE debrief
CVE-2026-8938 nakamura1458 CVE debrief
A Cross-Site Request Forgery (CSRF) vulnerability in the Auto Making JSON-LD WordPress plugin allows unauthenticated attackers to manipulate license settings and trigger unauthorized pro feature installation. The flaw exists in the `amJL_certification` function due to missing or incorrect nonce validation, affecting all versions up to and including 4.5.3. Successful exploitation requires social engineering an administrator into clicking a malicious link, but the downstream impact extends beyond simple settings modification to include license validation checks and automatic installation of plugin components.
- Vendor
- nakamura1458
- Product
- auto making JSON-LD
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
WordPress site administrators using the Auto Making JSON-LD plugin; security teams monitoring plugin supply chain integrity; organizations with strict software installation policies
Technical summary
The vulnerability resides in the `amJL_certification` function within the Auto Making JSON-LD WordPress plugin. Missing nonce validation permits unauthenticated attackers to forge requests that update the plugin's license key option. This triggers subsequent calls to `amJL_is_license_valid()` and `amJL_download_and_install_pro_features()`, enabling unauthorized pro feature installation without administrator consent. The attack requires user interaction through social engineering.
Defensive priority
medium
Recommended defensive actions
- Update Auto Making JSON-LD plugin to version 4.5.4 or later when available
- Implement additional CSRF protection layers via web application firewall rules for WordPress admin endpoints
- Review plugin file integrity and audit recently installed components if exploitation is suspected
- Apply principle of least privilege for WordPress administrator accounts
- Monitor for unexpected plugin installations or license validation network traffic
Evidence notes
Vulnerability confirmed via WordPress plugin repository source code review at certification.php lines 14 and 16. Wordfence assigned CVE and published technical analysis. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N reflects network attack vector with user interaction required.
Official resources
2026-05-27