CVE-2026-1930
Unauthorized Data Modification in Emailchef WordPress Plugin via Missing Capability Check
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emailchef | emailchef | to 3.5.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with Subscriber-level access and above to delete the plugin's settings via an unauthorized AJAX action. This unauthorized modification of data could potentially impact the integrity and availability of data managed by the plugin.
However, there is no specific information provided about how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
The Emailchef plugin for WordPress has a vulnerability due to a missing capability check in the page_options_ajax_disconnect() function. This flaw allows authenticated users with Subscriber-level access or higher to delete the plugin's settings by exploiting the 'emailchef_disconnect' AJAX action.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers with low-level authenticated access to delete the Emailchef plugin's settings. This unauthorized modification can disrupt the plugin's functionality and potentially affect email-related operations managed by the plugin.