CVE-2026-2941

The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksy search and replace item details' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to update any database table, any value, including the wp capabilities database field, which allows attackers to change their own role to administrator, which leads to privilege escalation.