Authorization Bypass Vulnerability in Solace Extra Plugin for WordPress
CVE-2026-13250
What is CVE-2026-13250?
The Solace Extra plugin for WordPress contains a significant authorization bypass vulnerability that affects all versions up to and including 1.5.3. This vulnerability arises from the plugin's failure to adequately verify user permissions, allowing unauthenticated attackers to delete all content that was previously imported using the Starter Template feature. This includes crucial elements like posts, pages, media attachments, WooCommerce products, taxonomy terms, and sitebuilder templates. The vulnerability is exacerbated by improper nonce handling, where nonces generated on wp-admin pages are accessible to any Subscriber visiting specific admin pages. Additionally, the AJAX handler linked to this function is set to be accessible by unauthenticated users, posing a severe risk to WordPress sites utilizing this plugin.
Affected Version(s)
Solace Extra 0 <= 1.5.3