CVE-2026-4280
Local File Inclusion in Breaking News WP Plugin Allows Arbitrary File Access
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| breaking_news_wp | breaking_news_wp_plugin | to 1.3 (inc) |
| wordfence | breaking_news_wp_plugin | to 1.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Breaking News WP plugin for WordPress has a Local File Inclusion vulnerability in all versions up to and including 1.3. This occurs because the brnwp_ajax_form AJAX endpoint does not have authorization checks or CSRF protection, and it insufficiently validates the path when the brnwp_theme option value is used in an include() statement within the brnwp_show_breaking_news_wp() shortcode handler.
Although sanitize_text_field() is applied to user input, it does not remove directory traversal sequences like "../", allowing authenticated users with Subscriber-level access or higher to overwrite the brnwp_theme option with a directory traversal payload (e.g., "../../../../etc/passwd"). When the shortcode is rendered, this leads to inclusion of arbitrary files on the server.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker with Subscriber-level access or higher to include arbitrary files from the server by exploiting directory traversal in the brnwp_theme option. This can lead to disclosure of sensitive files such as system password files, potentially exposing critical information.
Since the vulnerability does not affect integrity or availability directly, the main impact is on confidentiality, as attackers can read files they should not have access to.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the brnwp_ajax_form AJAX endpoint lacking authorization and CSRF checks, allowing authenticated users with Subscriber-level access to overwrite the brnwp_theme option with directory traversal payloads. Detection can focus on monitoring requests to the brnwp_ajax_form endpoint for suspicious parameters attempting directory traversal sequences such as "../".
You can detect exploitation attempts by inspecting web server logs or using tools like curl or wget to simulate requests to the AJAX endpoint with payloads containing directory traversal patterns.
- Example command to test the AJAX endpoint for directory traversal payloads (replace URL and cookies as needed):
- curl -X POST -d 'action=brnwp_ajax_form&brnwp_theme=../../../../etc/passwd' https://yourwordpresssite.com/wp-admin/admin-ajax.php --cookie 'wordpress_logged_in=your_auth_cookie'
Additionally, monitoring for changes to the brnwp_theme option in the WordPress database or via WP-CLI can help detect if the option has been overwritten with suspicious values.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Breaking News WP plugin to a version later than 1.3 where this vulnerability is fixed.
If an update is not immediately available, restrict access to the brnwp_ajax_form AJAX endpoint to trusted users only, and implement additional authorization and CSRF protections at the web application firewall or server level.
Also, review and sanitize the brnwp_theme option values in the database to remove any malicious directory traversal payloads.
Finally, monitor logs for suspicious activity targeting this vulnerability and consider temporarily disabling the plugin if exploitation attempts are detected.