VYPR
Medium severity4.3NVD Advisory· Published May 22, 2026· Updated May 22, 2026

CVE-2026-7249

CVE-2026-7249

Description

The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the splw_update_block_options() and lwp_clean_weather_transients() functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disable all weather blocks and purge all weather cache transients. The nonce required for these actions is exposed to all authenticated users via wp_localize_script() on the init hook.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

1