CVE-2026-8616
Received Received - Intake

Unauthenticated Option Deletion in Fense Proxy & VPN Blocker

Vulnerability report for CVE-2026-8616, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Wordfence

Description

The Fense Proxy & VPN Blocker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce validation on the fense_bpvt_save_settings() function in versions up to, and including, 3.0.1. The callback is registered to both wp_ajax_* and wp_ajax_nopriv_* hooks and unconditionally calls delete_option() on four plugin options and delete_transient() on three transients tied to the plugin's API key cache and settings. This makes it possible for unauthenticated attackers to delete plugin options and transients, effectively resetting the plugin's API key/data cache and forcing the plugin to refetch state.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fense_proxy_and_vpn_blocker fense_proxy_and_vpn_blocker to 3.0.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Fense Proxy & VPN Blocker WordPress plugin has a vulnerability in versions up to 3.0.1 where an unauthenticated attacker can delete plugin options and transients by exploiting missing capability checks and nonce validation in the fense_bpvt_save_settings() function. This resets the plugin's API key and data cache, forcing it to refetch state.

Detection Guidance

This vulnerability allows unauthenticated attackers to reset plugin settings and API keys. Check WordPress logs for unauthorized calls to fense_bpvt_save_settings() or unusual deletion of plugin options/transients. Inspect network traffic for requests to wp-admin/admin-ajax.php with suspicious parameters.

Impact Analysis

If you use this plugin, an attacker could reset its settings and API key cache, disrupting its functionality. This may cause the plugin to malfunction or lose configuration data, potentially affecting VPN blocking or proxy features on your WordPress site.

Compliance Impact

This vulnerability allows unauthenticated attackers to delete plugin options and transients, resetting API keys and cached data. While not directly causing data breaches, it could disrupt security controls, potentially violating compliance requirements for data integrity and access controls in standards like GDPR and HIPAA.

Mitigation Strategies
  • Update the Fense Proxy & VPN Blocker plugin to the latest version if available.
  • Temporarily disable the plugin if no update is available until a patch is released.
  • Review WordPress user roles and permissions to ensure only trusted users have admin access.
  • Monitor plugin settings and API keys for unauthorized changes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8616. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart