CVE-2026-3279
Description
The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the downgrade_jquery_version() function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to downgrade the site-wide jQuery version from 3.7.1 to the legacy 1.12.4-wp release, which has knowns security vulnerabilities.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Enable jQuery Migrate Helper plugin for WordPress <=1.4.1 allows authenticated subscribers to downgrade jQuery to a vulnerable legacy version due to a missing capability check.
Vulnerability
The Enable jQuery Migrate Helper plugin for WordPress, in all versions up to and including 1.4.1, contains a missing capability check in the downgrade_jquery_version() function. This function only verifies a nonce but does not check user capabilities, allowing any authenticated user to trigger the downgrade. The function is located in class-jquery-migrate-helper.php [1]. The plugin normally runs jQuery 3.7.1, but the downgrade switches the site-wide jQuery to the legacy 1.12.4-wp release.
Exploitation
An attacker needs only a valid WordPress account with Subscriber-level access or higher. The attacker can craft a request to the downgrade_jquery_version() function, passing the required nonce. Since no capability check is performed, the function will execute and update the _jquery_migrate_downgrade_version option to 'yes', effectively downgrading jQuery for all site visitors.
Impact
Successful exploitation forces the site to use jQuery 1.12.4-wp, a legacy version that contains known security vulnerabilities. This can expose the site to client-side attacks such as cross-site scripting (XSS) or other exploits targeting the outdated jQuery library. The attacker does not gain direct server-side access but weakens the site's security posture.
Mitigation
As of the publication date (2026-05-27), no patched version has been released. The vendor has not yet addressed the missing capability check. Users should restrict access to the plugin's functionality by ensuring only trusted administrators have accounts, or consider disabling the plugin until a fix is available. The plugin is not listed on the CISA KEV as of this writing.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.4.1+ 1 more
- (no CPE)range: <=1.4.1
- (no CPE)range: <=1.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/enable-jquery-migrate-helper/tags/1.4.1/class-jquery-migrate-helper.phpnvd
- plugins.trac.wordpress.org/browser/enable-jquery-migrate-helper/tags/1.4.1/class-jquery-migrate-helper.phpnvd
- plugins.trac.wordpress.org/browser/enable-jquery-migrate-helper/trunk/class-jquery-migrate-helper.phpnvd
- plugins.trac.wordpress.org/browser/enable-jquery-migrate-helper/trunk/class-jquery-migrate-helper.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/1a74d5f4-1dd8-4d49-b4ce-8ba7ac9cbcc7nvd
News mentions
0No linked articles in our index yet.