CVE-2026-9730
Remove NoFollow Commenter URL <= 1.0 - Cross-Site Request Forgery to Settings Update
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th
The Remove NoFollow Commenter URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the gmz_comment_settings_save function. This makes it possible for unauthenticated attackers to modify the plugin's comment-display setting via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
| CWE | CWE-352 |
| Vendor | jamesmuga |
| Product | remove nofollow commenter url |
| Published | Jun 2, 2026 |
| Last Updated | Jun 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for jamesmuga remove nofollow commenter url
Be the first to know when new medium vulnerabilities affecting jamesmuga remove nofollow commenter url are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
jamesmuga / Remove NoFollow Commenter URL
0 โค 1.0
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/c47e170f-f51e-400a-97f3-4da034c193a9?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/remove-nofollow-commenter-link/tags/1.0/gmzxnofollow.php#L24 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/remove-nofollow-commenter-link/tags/1.0/gmzxnofollow.php#L32 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/remove-nofollow-commenter-link/tags/1.0/gmzxnofollow.php#L42
Credits
swat