Logo
Retour à la veille

CVE-2026-4297

Publié : 24 juin 2026
Modifié : 24 juin 2026
Lien officiel NVD
Score CVSS
8.8
HIGH

Description détaillée

The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. This is due to a missing capability check in the nc_setOption() function, which is exposed via the nc.setOption XML-RPC method. The function authenticates the user via $wp_xmlrpc_server->login() (verifying credentials are valid) but does not perform any authorization check such as current_user_can('manage_options'). This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary WordPress options via XML-RPC requests. This can be leveraged to change the default_role option to 'administrator' and then register a new administrator account, achieving full privilege escalation and site takeover.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Références et Patchs

https://plugins.trac.wordpress.org/browser/newscred-publishing/tags/0.0.31/newscred.php#L264https://plugins.trac.wordpress.org/browser/newscred-publishing/tags/0.0.31/newscred.php#L265https://plugins.trac.wordpress.org/browser/newscred-publishing/tags/0.0.31/newscred.php#L272https://plugins.trac.wordpress.org/browser/newscred-publishing/tags/0.0.31/newscred.php#L44https://plugins.trac.wordpress.org/browser/newscred-publishing/trunk/newscred.php#L264https://plugins.trac.wordpress.org/browser/newscred-publishing/trunk/newscred.php#L265https://plugins.trac.wordpress.org/browser/newscred-publishing/trunk/newscred.php#L272https://plugins.trac.wordpress.org/browser/newscred-publishing/trunk/newscred.php#L44https://www.wordfence.com/threat-intel/vulnerabilities/id/47e53fd3-4e3f-433a-8e70-3a58c864184a?source=cve

Dernières Vulnérabilités

CVE-2026-10745

Improper output neutralization for logs vulnerability in upKeeper Solutions upKeeper Instant Privilege Access on Windows allows Log Injection-Tampering-Forging. This issue affects upKeeper Instant Privilege Access: through 1.6.1.

VOIR DÉTAILS

CVE-2026-7761

The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: (1) an MD5 hash fallback in get_directory_by_hash() that allows any post to be used as a member directory by computing SUBSTRING(MD5(post_id), 11, 5), (2) a strstr() parsing logic flaw in post_data() that allows bypassing WordPress's protected meta key restrictions by placing '_um_' anywhere in the meta key name rather than at the start, and (3) missing field name validation in build_user_card_data() that allows arbitrary field names including 'password_reset_link' to be passed to um_filtered_value(). This makes it possible for authenticated attackers with Contributor-level access and above to create a malicious post via XMLRPC with crafted meta fields, use the MD5 fallback to point the member directory AJAX handler to their post, inject 'password_reset_link' into the tagline_fields configuration, and leak live password reset URLs for all users in the member directory response, including administrators.

VOIR DÉTAILS

CVE-2026-56052

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Funnel Builder by FunnelKit allows Blind SQL Injection. This issue affects Funnel Builder by FunnelKit: from n/a through 3.15.0.5.

VOIR DÉTAILS