CVE-2026-8902 Overview
CVE-2026-8902 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the AJAX Report Comments plugin for WordPress in all versions up to and including 2.0.4. The flaw exists in the rc_options_page function, which lacks proper nonce validation. Unauthenticated attackers can craft malicious requests that, when triggered by an authenticated site administrator, modify plugin settings without authorization. Affected settings include link text and markup, success and failure messages, comment threshold, cookie duration, the reporter-comment toggle, and notification email destination, subject, and message body. The vulnerability is tracked under CWE-352 (Cross-Site Request Forgery).
Critical Impact
An attacker can alter notification email addresses and plugin behavior on any vulnerable WordPress site by tricking an administrator into clicking a crafted link.
Affected Products
- AJAX Report Comments plugin for WordPress, versions through 2.0.4
- WordPress sites with the plugin installed and active
- Administrator accounts with access to the plugin options page
Discovery Timeline
- 2026-06-09 - CVE-2026-8902 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-8902
Vulnerability Analysis
The vulnerability resides in the rc_options_page function of the AJAX Report Comments plugin. This function processes administrative form submissions to update plugin configuration but fails to verify a WordPress nonce token. Without nonce validation, the plugin cannot distinguish between legitimate administrator actions and forged requests originating from external sites.
An attacker hosts a malicious page or crafts a link containing a forged POST request targeting the plugin options endpoint. When a logged-in administrator visits the page or clicks the link, the browser submits the request with valid session cookies. The plugin accepts the request and applies the attacker-controlled settings.
While the confidentiality impact is limited, modifications to the notification email address, subject, and message body can redirect comment-report alerts to an attacker-controlled mailbox. This undermines moderation workflows and may be combined with subsequent social engineering.
Root Cause
The root cause is missing or incorrect nonce validation in the settings handler. WordPress provides wp_nonce_field() and check_admin_referer() to bind form submissions to a user session, and the plugin does not invoke these checks before persisting configuration changes. References to the vulnerable code paths are available at WordPress Plugin Source Code Line 186 and WordPress Plugin Source Code Line 242.
Attack Vector
Exploitation requires user interaction from an authenticated administrator. The attacker delivers a crafted link or auto-submitting HTML form via phishing email, forum post, comment, or compromised third-party site. No authentication or prior access to the target WordPress instance is required from the attacker. The forged request leverages the administrator's existing session to invoke the unprotected settings handler. Additional technical details are documented in the Wordfence Vulnerability Report ID 7db39101.
Detection Methods for CVE-2026-8902
Indicators of Compromise
- Unexpected changes to AJAX Report Comments plugin settings, particularly the notification email address, subject, or message body
- Administrator HTTP POST requests to the plugin options page originating from external Referer headers
- Comment-report notification emails arriving at unfamiliar addresses or stopping unexpectedly
- Modified link text, markup, or threshold values that administrators did not configure
Detection Strategies
- Monitor WordPress audit logs for changes to the report-comments plugin options that lack a corresponding administrator session activity record
- Inspect web server access logs for POST requests to the plugin settings endpoint with Referer values outside the site domain
- Compare current plugin configuration against a known-good baseline on a recurring schedule
Monitoring Recommendations
- Enable a WordPress activity logging plugin to capture options table writes and administrator actions
- Alert on outbound email destination changes for comment-report notifications
- Track administrator browser sessions for cross-site form submissions targeting /wp-admin/ endpoints
How to Mitigate CVE-2026-8902
Immediate Actions Required
- Update the AJAX Report Comments plugin to a version newer than 2.0.4 once a patched release is available
- Audit current plugin settings and restore the intended notification email address, subject, and message body
- Require administrators to log out of WordPress when not actively performing administrative tasks
- Restrict /wp-admin/ access by IP allow-listing or VPN where operationally feasible
Patch Information
At the time of publication, no fixed version is referenced in the NVD entry. Consult the Wordfence Vulnerability Report ID 7db39101 for the latest patch status. If a patched release is not yet available, deactivate and remove the plugin until a fix is published.
Workarounds
- Deactivate the AJAX Report Comments plugin until a patched release is installed
- Deploy a Web Application Firewall (WAF) rule to block POST requests to the plugin options page that lack a valid same-origin Referer header
- Train administrators to avoid clicking untrusted links while logged into WordPress and to use a separate browser profile for administrative work
- Enforce short administrator session lifetimes to reduce the exploitation window
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
