Unauthorized Data Modification in Location Weather Plugin for WordPress
CVE-2026-7249

4.3MEDIUM

What is CVE-2026-7249?

The Location Weather plugin for WordPress is susceptible to unauthorized data modifications, stemming from a lack of capability checks in the splw_update_block_options() and lwp_clean_weather_transients() functions. This vulnerability affects all versions up to and including 3.0.2. Authenticated attackers with Contributor-level access or higher can potentially disable all weather blocks and purge weather cache transients. Additionally, the required nonce for these operations is inadvertently exposed to all authenticated users via the wp_localize_script() function on the init hook, further increasing the risk of exploitation.

Affected Version(s)

Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget 0 <= 3.0.2

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

momopon1415
.