Security Alert Summary
The auto making JSON-LD plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability that affects all versions up to and including 4.5.3. Missing or incorrect nonce validation in the amJL_certification function can allow an attacker who can trick an administrator into performing an action (for example, clicking a link) to update the plugin’s license key option and trigger subsequent license validation and pro feature installation without the administrator’s intent.
CVE Details
- CVE ID:
CVE-2026-8938 - Affected component: The auto making JSON-LD plugin for WordPress
- Affected versions: All versions up to and including 4.5.3
- Published: May 27, 2026 at 07:16:18 AM UTC
- Last modified: May 27, 2026 at 02:50:47 PM UTC
- CVSS v3.1: Base score 4.3, MEDIUM —
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - Authentication / privileges / user interaction: No authentication required; privileges required: none; user interaction: required (attacker must trick a user to act)
- Primary impact: Confidentiality: None; Integrity: Low (unauthorized modification of plugin options and installation of components); Availability: None
- Weakness: CWE-352 (Cross-Site Request Forgery)
Technical Details
The vulnerability is a missing or incorrect nonce validation in the plugin’s amJL_certification function. Because the request handling code does not properly verify a nonce, an attacker can craft a request that updates the plugin’s stored license key option. Successful processing of that forged request can subsequently trigger downstream calls to amJL_is_license_valid() and amJL_download_and_install_pro_features().
In practical terms, exploitation requires the attacker to induce a user with the appropriate capability (for example, an administrator) to perform an action that sends the crafted request (user interaction). The issue allows modification of plugin settings and can result in unauthorized installation of plugin components via the plugin’s existing license validation and installation paths.
How This Could Impact Your Website
On a typical WordPress site, multiple people may have access: a site owner, internal staff (editors or administrators), and external contractors or contributors. If an administrator or another privileged user is tricked into following a malicious link, an attacker could update the plugin license setting and cause the site to download and install additional plugin components without the site owner’s consent.
Practical consequences include unauthorized changes to plugin configuration and the installation of pro features that were not approved by the site owner. While this does not necessarily mean full site compromise, it increases the risk of untrusted code running on the site and may expose site users to further risks such as targeted phishing or social engineering if attacker-controlled functionality is installed.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially accounts with administrative privileges.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from the site.
- Monitor site activity and plugin installations for unusual behavior or unauthorized changes.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/auto-making-json-ld/tags/4.5.3/settings/certification.php#L14
- https://plugins.trac.wordpress.org/browser/auto-making-json-ld/tags/4.5.3/settings/certification.php#L16
- https://www.wordfence.com/threat-intel/vulnerabilities/id/24d84e7c-7a7a-4b29-95ee-60718c48840f?source=cve
