WordPress Plugin Vulnerabilities

Modular Connector < 2.6.0 - Cross-Site Request Forgery via postConfirmOauth

Description

The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing nonce validation on the postConfirmOauth() function. This makes it possible for unauthenticated attackers to disconnect the plugin's OAuth/SSO connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
modular-connector
Fixed in 2.6.0

References

CVE
CVE-2026-3903
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/913a94ad-f425-4d24-9e23-7074ecfed8ad

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
fe2b101a-d065-4fc2-91d8-0a639bcc3f35

Timeline

Publicly Published
2026-03-10 (about 2 months ago)
Added
2026-03-10 (about 2 months ago)
Last Updated
2026-03-11 (about 2 months ago)

Other

Published
Title
Published
2023-11-07
Title
Auto Affiliate Links < 6.4.2.5 - Settings Update to Stored XSS via CSRF
Published
2022-05-23
Title
Private Files <= 0.40 - Protection Disabling via CSRF
Published
2021-06-30
Title
WooCommerce Custom Registration Form <= 1.0.4 - Arbitrary Field Deletion and Form Modification via CSRF
Published
2023-04-19
Title
ShopEngine < 4.1.2 - CSRF
Published
2025-09-05
Title
Woocommerce Notify Updated Product <= 1.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting