PT-2026-60705 · Devozon · Fense Proxy & Vpn Blocker

·

CVE-2026-8616

·

Published

2026-07-17

·

Updated

2026-07-17

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
The Fense Proxy & VPN Blocker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce validation on the fense bpvt save settings() function in versions up to, and including, 3.0.1. The callback is registered to both wp ajax * and wp ajax nopriv * hooks and unconditionally calls delete option() on four plugin options and delete transient() on three transients tied to the plugin's API key cache and settings. This makes it possible for unauthenticated attackers to delete plugin options and transients, effectively resetting the plugin's API key/data cache and forcing the plugin to refetch state.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8616

Affected Products

Fense Proxy & Vpn Blocker