{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0572", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-02T14:38:38.219Z", "datePublished": "2026-02-04T08:25:31.042Z", "dateUpdated": "2026-04-08T17:09:27.628Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:27.628Z"}, "affected": [{"vendor": "webpurify", "product": "WebPurify Profanity Filter", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webpurify_save_options' function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to change plugin settings."}], "title": "WebPurify Profanity Filter <= 4.0.2 - Missing Authorization to Unauthenticated Plugin Settings Change via webpurify_save_options", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9283f6ea-8bc4-4fdd-a0b9-05de127f34e4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/webpurifytextreplace/trunk/webpurifytextreplace-options.php?rev=2343695#L92"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Bhumividh Treloges"}], "timeline": [{"time": "2026-02-03T19:32:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:48:59.428499Z", "id": "CVE-2026-0572", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:49:05.287Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0572", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T16:48:59.428499Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:49:02.829Z"}}], "cna": {"title": "WebPurify Profanity Filter <= 4.0.2 - Missing Authorization to Unauthenticated Plugin Settings Change via webpurify_save_options", "credits": [{"lang": "en", "type": "finder", "value": "Bhumividh Treloges"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "webpurify", "product": "WebPurify Profanity Filter", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-03T19:32:52.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9283f6ea-8bc4-4fdd-a0b9-05de127f34e4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/webpurifytextreplace/trunk/webpurifytextreplace-options.php?rev=2343695#L92"}], "descriptions": [{"lang": "en", "value": "The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webpurify_save_options' function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to change plugin settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:27.628Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0572", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:09:27.628Z", "dateReserved": "2026-01-02T14:38:38.219Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-04T08:25:31.042Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webpurify_save_options' function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to change plugin settings."}, {"lang": "es", "value": "El plugin WebPurify Profanity Filter para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n 'webpurify_save_options' en todas las versiones hasta la 4.0.2, inclusive. Esto hace posible que atacantes no autenticados cambien la configuraci\u00f3n del plugin."}], "id": "CVE-2026-0572", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-04T09:15:51.970", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/webpurifytextreplace/trunk/webpurifytextreplace-options.php?rev=2343695#L92"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9283f6ea-8bc4-4fdd-a0b9-05de127f34e4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T21:27:59.614423+00:00", "value": {"mitigation_remediation": ["Update the WebPurify Profanity Filter plugin to the latest version that includes the capability check for the save options handler.", "If an immediate upgrade is not possible, temporarily disable the plugin or remove its settings page from the administration interface to prevent unauthenticated changes.", "Introduce a monitoring rule or audit log alert for writes to the plugin options to detect any unauthorized modifications."], "summary": {"action": "Apply Patch", "impact": "Unauthorized modification of plugin settings"}, "threat_synthesis": {"affected_systems": "All releases of the WordPress plugin WebPurify Profanity Filter up to and including version 4.0.2 are affected. No other products are listed as impacted.", "description_and_impact": "The vulnerability arises because the WebPurify Profanity Filter plugin fails to verify user capabilities before executing its settings\u2010update function. The lack of a capability check allows anyone who can submit a request to the \"webpurify_save_options\" endpoint to alter configuration options. Based on the description, it is inferred that the attack vector is an unauthenticated HTTP request to this endpoint, which can enable or disable the profanity filter, change block thresholds, or inject malicious settings, effectively bypassing content moderation. This flaw is a classic missing authorization issue, classified under CWE-862.", "risk_and_exploitability": "The severity rating of 6.5 on the CVSS scale indicates a moderate risk, but the EPSS value of less than 1% suggests that real\u2011world exploitation is rare as of the latest data. The vulnerability is not yet present in the CISA KEV catalog, meaning it has not been reported as a widely observed exploit. Based on the description, it is inferred that an attacker can trigger it with an unauthenticated HTTP request to the option\u2011saving handler; no local access is required, and the window of opportunity is open as long as the old version remains in place."}}}}, "created": "2026-02-04T21:18:25.181498+00:00", "updated": "2026-04-15T21:30:13.897556+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}