CVE-2026-6710
MEDIUM
4,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: required
Scope: unchanged
Confidentiality: none
Integrity: low
Availability: none
Description
AI Translation Available
The Skysa Text Ticker App plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the SkysaApps_Admin_AppPage function. This makes it possible for unauthenticated attackers to trick a site administrator into making a forged request to modify the plugin's settings, including the scrolling message text and URL, via a forged cross-site request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
352
Cross-Site Request Forgery (CSRF)
StableCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Availability
Non-Repudiation
Access Control
Potential Impacts:
Gain Privileges Or Assume Identity
Bypass Protection Mechanism
Read Application Data
Modify Application Data
Dos: Crash, Exit, Or Restart
Applicable Platforms
Technologies:
Web Based, Web Server
https://plugins.trac.wordpress.org/browser/skysa-text-ticker-app/tags/1.4/skysa…
https://plugins.trac.wordpress.org/browser/skysa-text-ticker-app/tags/1.4/skysa…
https://plugins.trac.wordpress.org/browser/skysa-text-ticker-app/trunk/skysa-re…
https://plugins.trac.wordpress.org/browser/skysa-text-ticker-app/trunk/skysa-re…
https://www.wordfence.com/threat-intel/vulnerabilities/id/bcd5b83a-7d51-455b-bb…