PT-2026-60705 · Devozon · Fense Proxy & Vpn Blocker
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
The Fense Proxy & VPN Blocker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce validation on the fense bpvt save settings() function in versions up to, and including, 3.0.1. The callback is registered to both wp ajax * and wp ajax nopriv * hooks and unconditionally calls delete option() on four plugin options and delete transient() on three transients tied to the plugin's API key cache and settings. This makes it possible for unauthenticated attackers to delete plugin options and transients, effectively resetting the plugin's API key/data cache and forcing the plugin to refetch state.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fense Proxy & Vpn Blocker