Unauthorized Data Modification in Location Weather Plugin for WordPress
CVE-2026-7249
4.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 22 May 2026
What is CVE-2026-7249?
The Location Weather plugin for WordPress is susceptible to unauthorized data modifications, stemming from a lack of capability checks in the splw_update_block_options() and lwp_clean_weather_transients() functions. This vulnerability affects all versions up to and including 3.0.2. Authenticated attackers with Contributor-level access or higher can potentially disable all weather blocks and purge weather cache transients. Additionally, the required nonce for these operations is inadvertently exposed to all authenticated users via the wp_localize_script() function on the init hook, further increasing the risk of exploitation.
Affected Version(s)
Location Weather β WordPress Weather Forecast, AQI, Temperature and Weather Widget 0 <= 3.0.2