MEDIUM 4.3

CVE-2026-9722: Laiser Tag WordPress Plugin CSRF Vulnerability – Update to 1.2.5+

The Laiser Tag plugin for WordPress contains a cross-site request forgery (CSRF) vulnerability affecting all versions through 1.2.5. An attacker can craft a malicious link or webpage that, when clicked by a site administrator, silently modifies critical plugin settings without the administrator's knowledge or consent. This includes changes to API keys, tag filtering rules, and tagging behavior—settings that directly control how the plugin functions across the site.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-352
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

The Laiser Tag plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the addOptionsPageFields function. This makes it possible for unauthenticated attackers to update the plugin's settings, including the API key, tag blacklist, relevance threshold, batch size, and tagging toggles, via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The addOptionsPageFields function in the Laiser Tag plugin fails to implement or properly validate nonce tokens on admin settings updates. CSRF vulnerabilities occur when a web application performs state-changing actions based solely on authenticated session cookies, without verifying that the request originated from the legitimate user. An attacker can host a malicious page containing a form or JavaScript that targets the plugin's settings endpoint, and when a logged-in WordPress administrator visits that page, their browser automatically submits the forged request using their existing session credentials.

Business impact

A successful CSRF attack against this plugin can result in unauthorized modification of plugin configuration, potentially disrupting the site's content tagging functionality or exposing it to malicious API endpoints. If an attacker changes the API key to point to an attacker-controlled service, they could intercept, manipulate, or exfiltrate data flowing through the tagging system. The attack requires social engineering to trick an administrator into visiting a malicious site, but the barrier to execution is low and the consequences are not trivial if the plugin plays a role in content management or SEO workflows.

Affected systems

WordPress installations running the Laiser Tag plugin in any version up to and including 1.2.5 are vulnerable. The attack requires an authenticated administrator session, so the risk applies primarily to multi-author or high-traffic WordPress sites where administrators may be more likely to visit untrusted links or where social engineering campaigns could be targeted.

Exploitability

Exploitability is moderate. The attack is straightforward to execute from a technical standpoint—an attacker needs only to craft a web page with a form targeting the plugin's settings endpoint. However, successful exploitation requires user interaction: a site administrator must visit the attacker-controlled page while logged into WordPress. This makes the vulnerability dependent on social engineering rather than a fully automated attack vector. No special tools, authentication credentials, or advanced techniques are required beyond basic web development knowledge.

Remediation

Update the Laiser Tag plugin to a version that implements proper nonce validation on the addOptionsPageFields function. Verify against the official plugin repository or vendor advisory for the specific patched version. Site administrators should also review plugin settings for any unexpected changes, especially API keys and filtering rules, as part of post-incident validation.

Patch guidance

Check the WordPress plugin repository or contact the plugin vendor directly for availability of a patched version. Once a secure version is released, update through the WordPress admin dashboard (Plugins > Installed Plugins > Laiser Tag > Update). After updating, verify that plugin settings (API keys, tag lists, thresholds) remain as configured; if any appear modified, investigate for signs of prior exploitation. Test the plugin's functionality on a staging environment before deploying to production if running a critical tagging workflow.

Detection guidance

Monitor WordPress admin access logs and plugin settings audit trails for unexpected changes to the Laiser Tag plugin configuration, particularly modifications to API keys, tag blacklist entries, or batch size settings. If available, enable and review WordPress security audit plugins that log settings changes with timestamps and associated user accounts. Check for admin sessions from unexpected IP addresses or user agents around the time of suspected configuration changes. Review web server access logs for unusual referrer headers or POST requests to the plugin's settings page originating from external domains.

Why prioritize this

This vulnerability merits prompt but not emergency patching. The CVSS score of 4.3 (MEDIUM) reflects the moderate severity and the requirement for user interaction. However, because it affects plugin settings that control data processing and API integration, the integrity impact is real. Prioritize patching for WordPress sites where administrators frequently interact with untrusted content, or where the Laiser Tag plugin integrates with sensitive third-party APIs.

Risk score, explained

The CVSS:3.1 score of 4.3 is driven by a network-based attack vector with low complexity, but mitigated by the requirement for user interaction (UI:R) and lack of impact on confidentiality or availability. The vulnerability results in integrity impact (I:L), as unauthorized settings modifications can degrade or alter plugin behavior. The scope is unchanged, meaning the impact is limited to the plugin and not the broader WordPress installation.

Frequently asked questions

Can this vulnerability be exploited without tricking an administrator into clicking a link?

No. CSRF vulnerabilities of this type require user interaction—specifically, the administrator must visit the attacker's page or click a malicious link while logged into WordPress. A purely automated remote exploit is not possible.

What settings can an attacker modify if they successfully exploit this vulnerability?

An attacker can change the API key, tag blacklist, relevance threshold, batch size, and toggle the tagging feature on or off. These changes affect how the plugin processes and tags content across the site.

How can I tell if my Laiser Tag plugin has been compromised via this vulnerability?

Review the plugin's settings in the WordPress admin dashboard, especially the API key and tag blacklist. If any of these settings appear different from what you configured, or if you notice unexpected changes in content tagging behavior, investigate your admin access logs for suspicious activity and consider changing administrator passwords and API keys.

Is there a temporary mitigation if I cannot update immediately?

The most effective interim mitigation is to restrict access to the WordPress admin dashboard to known IP addresses only, which limits the pool of potential attackers who can trick administrators. Additionally, educate site administrators not to click links from untrusted sources while logged into WordPress. However, these are only temporary measures; a timely plugin update is the proper fix.

This analysis is provided for informational purposes and represents the state of publicly available information as of the publication date. Patch availability, timelines, and version numbers should be verified directly with the plugin vendor or WordPress plugin repository. Organizations should conduct their own risk assessment based on their specific deployment configuration, usage of the Laiser Tag plugin, and administrator security practices. SEC.co makes no warranties regarding the completeness or accuracy of vulnerability information and recommends consulting official vendor advisories and security bulletins for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).