MEDIUM 4.3

CVE-2026-10553: jQuery Hover Footnotes CSRF & Stored XSS Vulnerability

The jQuery Hover Footnotes plugin for WordPress contains a flaw that allows attackers to trick site administrators into unknowingly changing plugin settings. When an admin clicks a malicious link, the attacker can alter how the plugin displays content—including injecting malicious code that affects every visitor to the site. The vulnerability chains two separate weaknesses: the ability to forge requests without verification, followed by the ability to inject unescaped code into pages.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-352
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the jqFootnotes_options_subpanel function. This makes it possible for unauthenticated attackers to update the plugin's settings with arbitrary values that, because option values such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title are echoed unescaped into frontend page content, can be chained into persistent Cross-Site Scripting affecting all site visitors via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation of the CSRF vulnerability can be chained into stored Cross-Site Scripting, as the overwritten option values are persisted via update_option() without sanitization and rendered unescaped on the frontend.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10553 is a Cross-Site Request Forgery (CSRF) vulnerability in jQuery Hover Footnotes versions up to 1.4 stemming from missing or inadequate nonce validation in the jqFootnotes_options_subpanel function. The vulnerability is dangerous because it can be chained with a Stored Cross-Site Scripting (XSS) flaw: when an attacker modifies plugin options such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title via forged requests, these values are persisted without sanitization through update_option() and subsequently rendered unescaped on the frontend. This two-step exploitation results in persistent XSS affecting all site visitors, not just administrators.

Business impact

An attacker exploiting this vulnerability can deface or inject malicious content into every page served by a vulnerable WordPress site. The stored nature of the attack means the injected content persists until remediated. Site visitors may be redirected, have credentials harvested, or encounter malware. Site reputation damage, compliance violations (PCI-DSS, GDPR), and user trust erosion are material business risks. Because exploitation only requires tricking an administrator to click a link—a low bar—any site running the plugin remains at risk.

Affected systems

All versions of the jQuery Hover Footnotes plugin for WordPress up to and including version 1.4 are vulnerable. The vulnerability affects any WordPress site that has this plugin installed and activated, regardless of other security controls.

Exploitability

Exploitation is relatively straightforward and requires low technical skill. An attacker crafts a malicious link or embeds a forged request in a webpage, then tricks a site administrator into clicking it or visiting the attacker's page. No authentication is required from the attacker's perspective—only social engineering against the admin. The CVSS score of 4.3 (MEDIUM) reflects that while impact is limited to integrity (no confidentiality or availability loss), the attack vector is network-based and user interaction is required but not difficult to achieve.

Remediation

The plugin maintainers must release a patched version that implements proper nonce validation on the jqFootnotes_options_subpanel function and sanitizes all option values before storage and unescaping during output. Site administrators should immediately disable and remove the plugin if an update is not available, or update to a patched version as soon as released. If the plugin must remain in use, restrict administrative access to trusted users and educate admins about CSRF phishing tactics.

Patch guidance

Monitor the jQuery Hover Footnotes plugin repository and the WordPress plugin directory for security updates. Once a patched version is released, apply it immediately via the WordPress admin dashboard. Verify the patch addresses both the nonce validation gap and output escaping. If the developer does not release a patch in a reasonable timeframe, consider switching to an actively maintained alternative for footnote functionality. Always test patches in a staging environment before production deployment.

Detection guidance

Monitor WordPress plugin update logs and configuration change audits for unexpected modifications to jQuery Hover Footnotes settings. Check the wp_options table for suspicious values in jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title fields. Review server access logs for POST requests to the plugin's admin handler that lack corresponding logged admin interactions. Look for admin session activity from unusual geographic locations or user agents. Web Application Firewall (WAF) rules can flag requests to the vulnerable function lacking valid nonce parameters. Front-end content monitoring tools can detect injected scripts in page source code.

Why prioritize this

While the CVSS score is MEDIUM (4.3), the real-world risk is elevated because the attack chain is simple to execute and the impact is persistent. Unlike many CSRF flaws that merely enable unauthorized configuration changes, this vulnerability directly leads to site-wide content injection. Any WordPress site running this plugin should prioritize patching or removal within days, not weeks. The requirement for admin interaction is a common vector in WordPress-targeted phishing campaigns.

Risk score, explained

CVSS 4.3 reflects a network-accessible vulnerability requiring user interaction (the admin clicking a link) with limited impact scope (integrity only, no confidentiality or availability impact). However, the severity is elevated in practice by the fact that the resulting XSS is stored and affects all site visitors, making this more damaging than a typical CSRF vulnerability. Organizations should treat this as higher priority than the base score alone suggests if the plugin is in use.

Frequently asked questions

Can an attacker exploit this without the site administrator clicking anything?

No. The core CSRF vulnerability requires the administrator to be tricked into clicking a malicious link or visiting a page containing a forged request. However, this is a low bar—phishing emails or malicious ads can easily distribute such links.

If I update the plugin, will it remove malicious code already injected into my site?

A plugin update will fix the vulnerability going forward by validating nonces and escaping output. However, it will not automatically clean up malicious option values already stored in the database. You must manually inspect and restore legitimate settings for jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title via the database or plugin settings panel.

What if I don't use the affected plugin settings mentioned in the CVE?

All sites running the plugin up to version 1.4 are vulnerable to the CSRF attack itself, regardless of which settings you actively use. An attacker can still modify settings you don't display on the frontend; the risk is whether those settings are rendered unescaped on any public page.

Is there a workaround if I cannot update immediately?

Yes. Restrict the wp-admin area by IP whitelist or disable the plugin entirely. You can also use a WordPress security plugin with CSRF token enforcement, though this does not replace a vendor patch. The safest option is to deactivate the jQuery Hover Footnotes plugin until a patch is available.

This analysis is based on the CVE record and vendor advisories published as of the date shown. Security landscape and patch availability may change; verify current patch status with the WordPress plugin directory and the plugin vendor before deployment. SEC.co makes no warranty regarding the completeness, accuracy, or timeliness of this information. Organizations should conduct their own risk assessment and consult with security professionals to determine applicability and remediation timelines for their infrastructure. This vulnerability analysis does not constitute security advice tailored to your specific environment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).