CVE-2026-4280
Received Received - Intake
Local File Inclusion in Breaking News WP Plugin Allows Arbitrary File Access

Publication date: 2026-04-22

Last updated on: 2026-04-22

Assigner: Wordfence

Description
The Breaking News WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3. This is due to the brnwp_ajax_form AJAX endpoint lacking both authorization checks and CSRF verification, combined with insufficient path validation when the brnwp_theme option value is passed directly to an include() statement in the brnwp_show_breaking_news_wp() shortcode handler. While sanitize_text_field() is applied to user input, it does not strip directory traversal sequences (../). This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the brnwp_theme option with a directory traversal payload (e.g., ../../../../etc/passwd) and subsequently trigger file inclusion of arbitrary files on the server when the shortcode is rendered.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4280
EUVD
EUVD-2026-24688
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
breaking_news_wp breaking_news_wp_plugin to 1.3 (inc)
wordfence breaking_news_wp_plugin to 1.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Breaking News WP plugin for WordPress has a Local File Inclusion vulnerability in all versions up to and including 1.3. This occurs because the brnwp_ajax_form AJAX endpoint does not have authorization checks or CSRF protection, and it insufficiently validates the path when the brnwp_theme option value is used in an include() statement within the brnwp_show_breaking_news_wp() shortcode handler.

Although sanitize_text_field() is applied to user input, it does not remove directory traversal sequences like "../", allowing authenticated users with Subscriber-level access or higher to overwrite the brnwp_theme option with a directory traversal payload (e.g., "../../../../etc/passwd"). When the shortcode is rendered, this leads to inclusion of arbitrary files on the server.

Impact Analysis

This vulnerability allows an authenticated attacker with Subscriber-level access or higher to include arbitrary files from the server by exploiting directory traversal in the brnwp_theme option. This can lead to disclosure of sensitive files such as system password files, potentially exposing critical information.

Since the vulnerability does not affect integrity or availability directly, the main impact is on confidentiality, as attackers can read files they should not have access to.

Detection Guidance

This vulnerability involves the brnwp_ajax_form AJAX endpoint lacking authorization and CSRF checks, allowing authenticated users with Subscriber-level access to overwrite the brnwp_theme option with directory traversal payloads. Detection can focus on monitoring requests to the brnwp_ajax_form endpoint for suspicious parameters attempting directory traversal sequences such as "../".

You can detect exploitation attempts by inspecting web server logs or using tools like curl or wget to simulate requests to the AJAX endpoint with payloads containing directory traversal patterns.

  • Example command to test the AJAX endpoint for directory traversal payloads (replace URL and cookies as needed):
  • curl -X POST -d 'action=brnwp_ajax_form&brnwp_theme=../../../../etc/passwd' https://yourwordpresssite.com/wp-admin/admin-ajax.php --cookie 'wordpress_logged_in=your_auth_cookie'

Additionally, monitoring for changes to the brnwp_theme option in the WordPress database or via WP-CLI can help detect if the option has been overwritten with suspicious values.

Mitigation Strategies

Immediate mitigation steps include updating the Breaking News WP plugin to a version later than 1.3 where this vulnerability is fixed.

If an update is not immediately available, restrict access to the brnwp_ajax_form AJAX endpoint to trusted users only, and implement additional authorization and CSRF protections at the web application firewall or server level.

Also, review and sanitize the brnwp_theme option values in the database to remove any malicious directory traversal payloads.

Finally, monitor logs for suspicious activity targeting this vulnerability and consider temporarily disabling the plugin if exploitation attempts are detected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4280. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart