Authorization Bypass Vulnerability in Solace Extra Plugin for WordPress
CVE-2026-13250

5.3MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
11 July 2026

What is CVE-2026-13250?

The Solace Extra plugin for WordPress contains a significant authorization bypass vulnerability that affects all versions up to and including 1.5.3. This vulnerability arises from the plugin's failure to adequately verify user permissions, allowing unauthenticated attackers to delete all content that was previously imported using the Starter Template feature. This includes crucial elements like posts, pages, media attachments, WooCommerce products, taxonomy terms, and sitebuilder templates. The vulnerability is exacerbated by improper nonce handling, where nonces generated on wp-admin pages are accessible to any Subscriber visiting specific admin pages. Additionally, the AJAX handler linked to this function is set to be accessible by unauthenticated users, posing a severe risk to WordPress sites utilizing this plugin.

Affected Version(s)

Solace Extra 0 <= 1.5.3

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Osvaldo Noe Gonzalez Del Rio (Os)
.