CVE-2026-4280

Name of the Vulnerable Software and Affected Versions Breaking News WP versions prior to 1.4

Description The Breaking News WP plugin for WordPress contains a Local File Inclusion issue. The 'brnwp ajax form' AJAX endpoint lacks authorization checks and CSRF verification. Additionally, there is insufficient path validation when the brnwp theme option value is passed to an include() statement in the brnwp show breaking news wp() shortcode handler. Although sanitize text field() is used, it does not remove directory traversal sequences (../). This allows authenticated attackers with Subscriber-level access or higher to overwrite the brnwp theme option with a directory traversal payload to include arbitrary files from the server when the shortcode is rendered.

Recommendations Update the plugin to a version newer than 1.3.