CVE-2026-4124

Name of the Vulnerable Software and Affected Versions Ziggeo plugin for WordPress versions through 3.1.1

Description The Ziggeo plugin for WordPress is susceptible to missing authorization checks. The wp ajax ziggeo ajax handler verifies a nonce but does not confirm user capabilities using current user can(). The nonce (ziggeo ajax nonce) is publicly exposed to all logged-in users through the wp head and admin head hooks. This allows authenticated attackers with Subscriber-level access or higher to perform administrative actions, including saving arbitrary translation strings via the update option('ziggeo translations') function, creating, updating, and deleting event templates via update option('ziggeo events'), modifying SDK application settings, and managing notifications via update option('ziggeo notifications').

Recommendations Versions prior to 3.1.2 should be updated. As a temporary workaround, consider disabling the wp ajax ziggeo ajax handler until a patch is available.