Security Alert Summary
The Skysa Text Ticker App plugin for WordPress contains a cross-site request forgery (CSRF) vulnerability in all versions up to and including 1.4. Missing or incorrect nonce validation in the SkysaApps_Admin_AppPage function can allow an attacker to trick an administrator into submitting a forged request that changes the plugin’s settings, such as the scrolling message text and URL.
CVE Details
- CVE ID: CVE-2026-6710
- Affected component: Skysa Text Ticker App plugin for WordPress
- Affected versions: All versions up to and including 1.4
- Published: May 12, 2026 at 9:16:56 AM UTC
- Last modified: May 12, 2026 at 2:03:52 PM UTC
- CVSS v3.1: Base Score 4.3, Medium, Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - Authentication / privileges / user interaction: Authentication required: None. Privileges required: None (PR:N). User interaction: Required (UI:R).
- Primary impact: Confidentiality: None; Integrity: Low; Availability: None
- Weakness: CWE-352 (Cross-Site Request Forgery)
Technical Details
This issue is a Cross-Site Request Forgery (CSRF) vulnerability caused by missing or incorrect nonce validation in the SkysaApps_Admin_AppPage function. Because the nonce check is not performed or is implemented incorrectly, an attacker can craft a request that, when an administrator is tricked into executing it (for example by clicking a link), modifies plugin settings. The description specifically identifies changes to the scrolling message text and the target URL as possible outcomes of a successful forged request.
How This Could Impact Your Website
In a typical small site workflow, a site owner and internal staff manage content while external contractors or contributors may have limited access. If an administrator or another privileged user is tricked into following a malicious link, the attacker could change the ticker’s displayed message or its destination URL. This could be used to present misleading information to visitors or to direct users to external sites that attempt credential harvesting or social engineering. The issue does not indicate direct disclosure of stored user data, but altered messages or links can increase the risk of targeted phishing against staff or users. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially accounts with administrative privileges.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and plugin configuration changes for unusual behavior.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/skysa-text-ticker-app/tags/1.4/skysa-required/admin.php#L215
- https://plugins.trac.wordpress.org/browser/skysa-text-ticker-app/tags/1.4/skysa-required/admin.php#L281
- https://plugins.trac.wordpress.org/browser/skysa-text-ticker-app/trunk/skysa-required/admin.php#L215
- https://plugins.trac.wordpress.org/browser/skysa-text-ticker-app/trunk/skysa-required/admin.php#L281
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bcd5b83a-7d51-455b-bb31-dd776264fc6b?source=cve
