The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-6700

CVE-2026-6700: DX Sources WordPress Plugin CSRF Flaw

CVE-2026-6700 is a Cross-Site Request Forgery vulnerability in the DX Sources WordPress plugin that allows attackers to modify plugin settings. This article covers technical details, affected versions, impact, and mitigation.

Published: May 7, 2026

CVE-2026-6700 Overview

CVE-2026-6700 is a Cross-Site Request Forgery (CSRF) vulnerability in the DX Sources plugin for WordPress, affecting all versions up to and including 2.0.1. The flaw exists in the settings_page_build function due to missing or incorrect nonce validation. An unauthenticated attacker can craft a malicious request that, when triggered by a logged-in administrator (such as by clicking a link), modifies the plugin's configuration options without consent. The vulnerability is classified under CWE-352.

Critical Impact

Successful exploitation allows unauthorized modification of DX Sources plugin settings on affected WordPress sites, contingent on tricking an administrator into a single user interaction.

Affected Products

  • DX Sources plugin for WordPress, all versions through 2.0.1
  • WordPress sites with administrators who can be socially engineered into clicking attacker-controlled links
  • Deployments where the plugin's settings.class.php lacks proper nonce verification

Discovery Timeline

  • 2026-05-05 - CVE-2026-6700 published to NVD
  • 2026-05-05 - Last updated in NVD database

Technical Details for CVE-2026-6700

Vulnerability Analysis

The DX Sources plugin processes settings updates through the settings_page_build function defined in inc/settings.class.php. This function fails to validate a WordPress nonce before applying configuration changes. Without nonce validation, the server cannot distinguish between a legitimate administrator-submitted form and a request forged by a third party. An attacker hosts a page containing a crafted form or link targeting the WordPress admin endpoint. When an authenticated administrator visits the malicious page, the browser automatically attaches valid session cookies, and the server processes the forged request as authentic.

The attack requires user interaction (UI:R) and modifies plugin configuration, resulting in limited integrity impact without confidentiality or availability consequences.

Root Cause

The root cause is the absence of wp_verify_nonce or check_admin_referer validation in the settings handler. WordPress provides nonces specifically to bind administrative actions to a verified user session. The plugin code at lines 46 and 79 of settings.class.php accepts POST data and writes plugin options without confirming the request originated from an intentional administrator action.

Attack Vector

Exploitation occurs over the network with low complexity. The attacker prepares a webpage hosting a hidden form or auto-submitting JavaScript that targets the DX Sources settings endpoint. The attacker then delivers the page URL to an administrator through phishing, comment fields, or third-party site compromise. When the administrator clicks the link while authenticated to WordPress, the browser submits the forged request and the plugin applies attacker-chosen configuration values. No authentication credentials are required from the attacker because the victim's session supplies authorization.

No verified public exploit code is available. Refer to the Wordfence Vulnerability Report and the WordPress Plugin Source Code for technical details on the affected function.

Detection Methods for CVE-2026-6700

Indicators of Compromise

  • Unexpected modifications to DX Sources plugin settings appearing in the WordPress options table without corresponding administrator activity logs.
  • HTTP POST requests to wp-admin/options-general.php or the DX Sources settings page lacking a valid _wpnonce parameter.
  • Referer headers on settings update requests pointing to external, non-WordPress domains.
  • Administrator browser history containing suspicious URLs immediately preceding plugin configuration changes.

Detection Strategies

  • Monitor WordPress audit logs for plugin option changes and correlate timestamps with administrator login sessions and access patterns.
  • Inspect web server access logs for POST requests to plugin admin endpoints originating from unexpected referrers or lacking nonce parameters.
  • Deploy a Web Application Firewall (WAF) rule that flags state-changing POST requests to /wp-admin/ paths missing the _wpnonce field.

Monitoring Recommendations

  • Enable a WordPress activity logging plugin to capture configuration changes with user attribution and source IP.
  • Alert on outbound clicks from administrator workstations to recently registered or low-reputation domains.
  • Track DX Sources plugin version installed across all managed WordPress instances and flag versions ≤ 2.0.1.

How to Mitigate CVE-2026-6700

Immediate Actions Required

  • Identify all WordPress sites running the DX Sources plugin and verify the installed version against the vulnerable range (≤ 2.0.1).
  • Disable the DX Sources plugin until a patched release is installed if administrators cannot avoid clicking external links during their workflow.
  • Restrict WordPress administrator accounts to dedicated browser profiles or sessions that are not used for general web browsing.

Patch Information

At the time of publication, the Wordfence Vulnerability Report lists all versions through 2.0.1 as affected. Administrators should monitor the DX Sources plugin repository for an updated release that adds nonce validation to the settings_page_build function and apply it as soon as it is available.

Workarounds

  • Deploy a WAF rule that rejects POST requests to DX Sources settings endpoints when a valid _wpnonce parameter is absent.
  • Enforce SameSite=Strict or SameSite=Lax cookies on the WordPress session to limit cross-origin request forgery surface.
  • Require administrators to log out of WordPress sessions when not actively performing site management tasks.
  • Train administrative users to recognize phishing links and avoid clicking external URLs while authenticated to WordPress.
bash
# Example ModSecurity rule to block CSRF attempts on WordPress admin POSTs lacking a nonce
SecRule REQUEST_METHOD "@streq POST" \
    "id:1006700,phase:2,chain,deny,status:403,\
    msg:'Possible CSRF: WordPress admin POST without _wpnonce'"
    SecRule REQUEST_URI "@contains /wp-admin/" "chain"
        SecRule &ARGS:_wpnonce "@eq 0"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeCSRF
  • Vendor/TechWordpress
  • SeverityMEDIUM
  • CVSS Score4.3
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityLow
  • AvailabilityNone
  • CWE References
  • CWE-352
  • Technical References
  • WordPress Plugin Source Code
  • WordPress Plugin Source Code
  • WordPress Plugin Source Code
  • WordPress Plugin Source Code
  • Wordfence Vulnerability Report
  • Related CVEs
  • CVE-2026-6701: WordPress addfreespace Plugin CSRF Flaw
  • CVE-2026-6702: WordPress Publish 2 Ping.fm CSRF Vulnerability
  • CVE-2026-3772: WP Editor Plugin CSRF Vulnerability
  • CVE-2026-3140: WordPress Ultimate Dashboard CSRF Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English