CVE-2026-1981
Received Received - Intake
Unauthorized Data Modification in HUMN-1 Plugin via Missing Capability Check

Publication date: 2026-03-07

Last updated on: 2026-03-07

Assigner: Wordfence

Description
The HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the winston_disconnect() function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's API connection settings via the 'winston_disconnect' AJAX action.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-07
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1981
EUVD
EUVD-2026-10090
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
winston_ai winston_ai_wp to 0.0.3 (inc)
winston_ai winston_ai_wp 0.0.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-1981 is a vulnerability in the HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress, specifically in the winston_disconnect() function. The issue arises because this function lacks a proper capability check, allowing authenticated users with Subscriber-level access or higher to reset the plugin's API connection settings via the 'winston_disconnect' AJAX action."}, {'type': 'paragraph', 'content': 'Normally, only administrators should be able to perform such actions, but due to the missing capability check, lower-privileged users can exploit this to modify sensitive plugin data.'}] [1, 2]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows authenticated users with relatively low privileges (Subscriber-level and above) to reset the plugin's API connection settings without proper authorization."}, {'type': 'paragraph', 'content': "The impact includes unauthorized modification of the plugin's configuration, which could disrupt the plugin's functionality, potentially causing denial of service or loss of integration with the external Winston AI platform."}, {'type': 'paragraph', 'content': "While the vulnerability does not directly lead to data disclosure or system compromise, it can be used to interfere with the plugin's operation and may serve as a stepping stone for further attacks if combined with other vulnerabilities."}] [1, 2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves unauthorized modification of plugin API connection settings via an AJAX action accessible to authenticated users with Subscriber-level access and above. Detection can focus on monitoring AJAX requests to the 'winston_disconnect' action on WordPress sites using the vulnerable Winston AI plugin versions up to 0.0.3."}, {'type': 'paragraph', 'content': "To detect exploitation attempts, you can monitor HTTP POST requests to the WordPress admin AJAX endpoint (typically /wp-admin/admin-ajax.php) with the parameter 'action=winston_disconnect'."}, {'type': 'paragraph', 'content': 'Example commands to detect such requests in web server logs or via live network traffic include:'}, {'type': 'list_item', 'content': "Using grep on Apache or Nginx logs to find suspicious AJAX calls: grep 'action=winston_disconnect' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP POST requests containing 'winston_disconnect': tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'winston_disconnect'"}, {'type': 'list_item', 'content': 'Using WordPress CLI or plugin-specific logs (if available) to audit AJAX requests and user capabilities.'}, {'type': 'paragraph', 'content': 'Additionally, checking for the presence of the vulnerable plugin version (<= 0.0.3) on your WordPress installation can help identify exposure.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating the Winston AI WordPress plugin to version 0.0.4 or later, where security improvements have been implemented to enforce administrator capability checks and nonce verification on AJAX actions.'}, {'type': 'paragraph', 'content': "If updating immediately is not possible, restrict access to the WordPress admin AJAX endpoint to trusted users only, and monitor for suspicious AJAX requests involving 'winston_disconnect'."}, {'type': 'paragraph', 'content': 'Additionally, review and tighten user roles and permissions to ensure that only trusted users have Subscriber-level or higher access, as the vulnerability allows authenticated users at Subscriber level and above to exploit it.'}, {'type': 'paragraph', 'content': 'Implement Web Application Firewall (WAF) rules to block unauthorized AJAX requests targeting the vulnerable actions.'}, {'type': 'paragraph', 'content': 'Finally, verify that nonce verification and capability checks are properly enforced in your plugin version, or apply patches that add these security controls.'}] [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1981. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart