{"api_version":"1","generated_at":"2026-04-24T12:36:56+00:00","cve":"CVE-2026-3903","urls":{"html":"https://cve.report/CVE-2026-3903","api":"https://cve.report/api/cve/CVE-2026-3903.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-3903","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-3903"},"summary":{"title":"Modular Connector <= 2.5.1 - Cross-Site Request Forgery via postConfirmOauth","description":"The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing nonce validation on the postConfirmOauth() function. This makes it possible for unauthenticated attackers to disconnect the plugin's OAuth/SSO connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2026-03-11 08:16:04","updated_at":"2026-04-22 21:27:27"},"problem_types":["CWE-352","CWE-352 CWE-352 Cross-Site Request Forgery (CSRF)"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","data":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://plugins.trac.wordpress.org/changeset/3441222/","name":"https://plugins.trac.wordpress.org/changeset/3441222/","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/913a94ad-f425-4d24-9e23-7074ecfed8ad?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/913a94ad-f425-4d24-9e23-7074ecfed8ad?source=cve","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-3903","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3903","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"modulards","product":"Modular DS: Monitor, update, and backup multiple websites","version":"affected 2.5.1 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-03-10T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Dmitrii Ignatyev","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"3903","cve":"CVE-2026-3903","epss":"0.000150000","percentile":"0.032850000","score_date":"2026-04-22","updated_at":"2026-04-23 00:03:14"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-3903","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-03-11T13:37:48.328029Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-03-11T13:39:07.783Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Modular DS: Monitor, update, and backup multiple websites","vendor":"modulards","versions":[{"lessThanOrEqual":"2.5.1","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Dmitrii Ignatyev"}],"descriptions":[{"lang":"en","value":"The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing nonce validation on the postConfirmOauth() function. This makes it possible for unauthenticated attackers to disconnect the plugin's OAuth/SSO connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}],"metrics":[{"cvssV3_1":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-352","description":"CWE-352 Cross-Site Request Forgery (CSRF)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T17:06:55.839Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/913a94ad-f425-4d24-9e23-7074ecfed8ad?source=cve"},{"url":"https://plugins.trac.wordpress.org/changeset/3441222/"}],"timeline":[{"lang":"en","time":"2026-03-10T00:00:00.000Z","value":"Disclosed"}],"title":"Modular Connector <= 2.5.1 - Cross-Site Request Forgery via postConfirmOauth"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2026-3903","datePublished":"2026-03-11T07:36:25.132Z","dateReserved":"2026-03-10T18:58:10.198Z","dateUpdated":"2026-04-08T17:06:55.839Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-11 08:16:04","lastModifiedDate":"2026-04-22 21:27:27","problem_types":["CWE-352","CWE-352 CWE-352 Cross-Site Request Forgery (CSRF)"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"3903","Ordinal":"1","Title":"Modular Connector <= 2.5.1 - Cross-Site Request Forgery via post","CVE":"CVE-2026-3903","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"3903","Ordinal":"1","NoteData":"The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing nonce validation on the postConfirmOauth() function. This makes it possible for unauthenticated attackers to disconnect the plugin's OAuth/SSO connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","Type":"Description","Title":"Modular Connector <= 2.5.1 - Cross-Site Request Forgery via post"}]}}}