CVE Catalog

CVE-2026-10553

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.01%

2th percentile - higher than 2% of all known CVEs

Summary

The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.4. This is due to missing or incorrect nonce validation on the jqFootnotes_options_subpanel function.

Risk Assessment

Unauthenticated attackers can update the plugin's settings, leading to the potential injection of malicious JavaScript code that affects all site visitors. This poses a serious security risk to the site and its users.

Recommendation

It is recommended to update the plugin to the latest version that includes security fixes. Additionally, implementing CSRF protection mechanisms and sanitizing option values before rendering them on the frontend is advisable.

Original NVD description (English source)

The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the jqFootnotes_options_subpanel function. This makes it possible for unauthenticated attackers to update the plugin's settings with arbitrary values that, because option values such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title are echoed unescaped into frontend page content, can be chained into persistent Cross-Site Scripting affecting all site visitors via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation of the CSRF vulnerability can be chained into stored Cross-Site Scripting, as the overwritten option values are persisted via update_option() without sanitization and rendered unescaped on the frontend.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS