CVE-2026-7249
Description
The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the splw_update_block_options() and lwp_clean_weather_transients() functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disable all weather blocks and purge all weather cache transients. The nonce required for these actions is exposed to all authenticated users via wp_localize_script() on the init hook.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Location Weather plugin for WordPress up to 3.0.2 lacks capability checks, allowing Contributor+ users to disable weather blocks and purge cache.
Vulnerability
The Location Weather plugin for WordPress versions up to and including 3.0.2 contains missing capability checks on the splw_update_block_options() and lwp_clean_weather_transients() functions. This allows authenticated users with Contributor-level access or above to perform unauthorized modifications. The nonce required for these actions is exposed to all authenticated users via wp_localize_script() on the init hook, as described in the CVE description. [1]
Exploitation
An attacker with a Contributor-level account (or higher) can exploit this by sending crafted requests to the vulnerable functions. The nonce is readily available to any authenticated user, so no additional privilege escalation is needed. The attacker can trigger splw_update_block_options() to disable all weather blocks, or lwp_clean_weather_transients() to purge all weather cache transients. The steps involve accessing the WordPress admin area and using the exposed nonce to call these functions.
Impact
Successful exploitation allows the attacker to disable all weather blocks on the site and purge all weather cache transients. This results in a denial-of-service condition for weather-related features, as weather data will not be displayed until an administrator re-enables the blocks or the cache is rebuilt. No data is stolen or modified beyond the plugin's settings and cache.
Mitigation
As of the publication date (2026-05-22), no patched version has been released. Users should update to a version beyond 3.0.2 once available. In the meantime, administrators can restrict Contributor-level access or remove the plugin if not needed. The plugin is not listed on CISA's Known Exploited Vulnerabilities catalog at this time. [1]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=3.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/location-weather/tags/3.0.2/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.phpnvd
- plugins.trac.wordpress.org/browser/location-weather/tags/3.0.2/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.phpnvd
- plugins.trac.wordpress.org/browser/location-weather/tags/3.0.3/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.phpnvd
- plugins.trac.wordpress.org/browser/location-weather/tags/3.0.3/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.phpnvd
- wordpress.org/plugins/location-weather/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/d472011d-1623-4791-9d56-715d90fe0469nvd
News mentions
0No linked articles in our index yet.