Medium severity4.3NVD Advisory· Published Mar 7, 2026· Updated Apr 22, 2026

CVE-2026-1981

Description

The HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the winston_disconnect() function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's API connection settings via the 'winston_disconnect' AJAX action.

Affected products

Winston AI/HUMN-1 AI Website Scanner & Human Certificationllm-create
Range: <=0.0.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/winston-ai-wp/tags/0.0.3/ajax/Ajax_Admin.phpnvd
plugins.trac.wordpress.org/browser/winston-ai-wp/tags/0.0.3/ajax/Ajax_Admin.phpnvd
plugins.trac.wordpress.org/browser/winston-ai-wp/trunk/ajax/Ajax_Admin.phpnvd
plugins.trac.wordpress.org/browser/winston-ai-wp/trunk/ajax/Ajax_Admin.phpnvd
plugins.trac.wordpress.org/changesetnvd
www.wordfence.com/threat-intel/vulnerabilities/id/b1a82073-ab63-42dd-9bc0-d21f53a5af25nvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000