Cross-Site Request Forgery Vulnerability in Auto Making JSON-LD Plugin for WordPress
CVE-2026-8938

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Auto Making Json-ld
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-8938?

The Auto Making JSON-LD plugin for WordPress is vulnerable to a Cross-Site Request Forgery attack due to improper nonce validation in the amJL_certification function. This vulnerability allows unauthenticated attackers to manipulate the plugin's license key option, leading to unauthorized license validation and installation of pro features on the victim's website. Exploitation requires the attacker to trick an administrator into performing a specific action, such as clicking a malicious link, enabling potential downstream effects that could compromise the site's security by installing unapproved plugin components.

Affected Version(s)

auto making JSON-LD 0 <= 4.5.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/auto-making-js...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 19, 2026

Credit

Muhammad Afnaan

CVE-2026-8938 Data

JSON