PT-2026-42727 · WordPress · Location Weather
Momopon1415
·
Published
2026-05-22
·
Updated
2026-05-22
·
CVE-2026-7249
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Location Weather versions prior to 3.0.3
Description
The Location Weather plugin for WordPress allows unauthorized modification of data because the
splw update block options() and lwp clean weather transients() functions lack capability checks. Authenticated attackers with Contributor-level access or higher can exploit this to disable all weather blocks and purge all weather cache transients. The required nonce is exposed to all authenticated users through wp localize script() on the init hook.Recommendations
Update to a version later than 3.0.2.
As a temporary workaround, restrict access to the
splw update block options() and lwp clean weather transients() functions to minimize the risk of exploitation.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Location Weather