{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2284", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-10T14:40:00.956Z", "datePublished": "2026-02-19T04:36:26.287Z", "dateUpdated": "2026-04-08T17:29:58.169Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:58.169Z"}, "affected": [{"vendor": "webangon", "product": "News Element Elementor Blog Magazine", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.8. This is due to a missing capability check and nonce verification on the 'ne_clean_data' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to truncate 8 core WordPress database tables (posts, comments, terms, term_relationships, term_taxonomy, postmeta, commentmeta, termmeta) and delete the entire WordPress uploads directory, resulting in complete data loss."}], "title": "News Element Elementor Blog Magazine <= 1.0.8 - Missing Authorization to Authenticated (Subscriber+) Data Loss", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5d81318-c9da-4626-acfa-f092d2ce5fe9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/news-element/trunk/admin/inc/dash.php#L206"}, {"url": "https://plugins.trac.wordpress.org/browser/news-element/tags/1.0.8/admin/inc/dash.php#L206"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2026-02-18T15:53:23.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:26:40.517449Z", "id": "CVE-2026-2284", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:27:00.808Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2284", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:26:40.517449Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:26:47.491Z"}}], "cna": {"title": "News Element Elementor Blog Magazine <= 1.0.8 - Missing Authorization to Authenticated (Subscriber+) Data Loss", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "webangon", "product": "News Element Elementor Blog Magazine", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T15:53:23.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5d81318-c9da-4626-acfa-f092d2ce5fe9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/news-element/trunk/admin/inc/dash.php#L206"}, {"url": "https://plugins.trac.wordpress.org/browser/news-element/tags/1.0.8/admin/inc/dash.php#L206"}], "descriptions": [{"lang": "en", "value": "The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.8. This is due to a missing capability check and nonce verification on the 'ne_clean_data' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to truncate 8 core WordPress database tables (posts, comments, terms, term_relationships, term_taxonomy, postmeta, commentmeta, termmeta) and delete the entire WordPress uploads directory, resulting in complete data loss."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-19T04:36:26.287Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2284", "state": "PUBLISHED", "dateUpdated": "2026-02-19T21:27:00.808Z", "dateReserved": "2026-02-10T14:40:00.956Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T04:36:26.287Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.8. This is due to a missing capability check and nonce verification on the 'ne_clean_data' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to truncate 8 core WordPress database tables (posts, comments, terms, term_relationships, term_taxonomy, postmeta, commentmeta, termmeta) and delete the entire WordPress uploads directory, resulting in complete data loss."}, {"lang": "es", "value": "El plugin News Element Elementor Blog Magazine para WordPress es vulnerable a Autorizaci\u00f3n Faltante en todas las versiones hasta la 1.0.8, inclusive. Esto se debe a una verificaci\u00f3n de capacidad faltante y una verificaci\u00f3n de nonce en la acci\u00f3n AJAX 'ne_clean_data'. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, trunquen 8 tablas principales de la base de datos de WordPress (posts, comments, terms, term_relationships, term_taxonomy, postmeta, commentmeta, termmeta) y eliminen el directorio completo de subidas de WordPress, lo que resulta en una p\u00e9rdida completa de datos."}], "id": "CVE-2026-2284", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:46.400", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/news-element/tags/1.0.8/admin/inc/dash.php#L206"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/news-element/trunk/admin/inc/dash.php#L206"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5d81318-c9da-4626-acfa-f092d2ce5fe9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "News Element Elementor Blog Magazine", "source": "cna", "vendor": "webangon"}, "product": "news_element_elementor_blog_magazine", "vendor": "webangon"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T17:01:16.086658+00:00", "value": {"mitigation_remediation": ["Update the News Element Elementor Blog Magazine plugin to a version that includes the fix, such as the latest release beyond 1.0.8.", "Limit or remove subscriber role capabilities that allow triggering of AJAX actions, ensuring only administrators can invoke cleanup functions.", "If upgrading immediately is not possible, a temporary workaround is to disable or remove the 'ne_clean_data' AJAX endpoint from the plugin code, preventing the operation from being called."], "summary": {"action": "Immediate Patch", "impact": "Data Loss"}, "threat_synthesis": {"affected_systems": "The vendor is WebAngon and the affected product is the News Element Elementor Blog Magazine WordPress plugin. All releases up to and including version 1.0.8 are impacted. If you are running 1.0.8 or an earlier release, the vulnerability is present.", "description_and_impact": "The News Element Elementor Blog Magazine plugin for WordPress contains a missing capability check and nonce verification on the 'ne_clean_data' AJAX action. Because of this omission, any authenticated user with subscriber-level access or higher can trigger the action to truncate eight core WordPress database tables \u2013 including posts, comments, terms, term_relationships, term_taxonomy, postmeta, commentmeta, and termmeta \u2013 and delete the entire uploads directory. The result is a complete loss of website content and media, compromising the integrity and availability of the site. This flaw is a classic example of Missing Authorization (CWE-862).", "risk_and_exploitability": "The CVSS base score of 5.4 indicates a medium severity vulnerability. The EPSS score of less than 1% shows the probability of exploitation is very low in the current landscape, and the vulnerability is not listed in the CISA KEV catalog. However, because the attack requires only authenticated subscriber access, which many sites grant to regular users, an attacker who has logged into the site can easily exploit the flaw without further credential compromise. Once exploited, the attacker can cause irreversible data loss, so the risk to an organization can be high if the site hosts critical content."}}}}, "created": "2026-02-19T10:06:49.609847+00:00", "updated": "2026-04-15T17:15:10.602391+00:00", "vendors": ["webangon", "webangon$PRODUCT$news_element_elementor_blog_magazine", "wordpress", "wordpress$PRODUCT$wordpress"]}