{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4124", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T13:43:23.239Z", "datePublished": "2026-04-09T02:25:04.372Z", "dateUpdated": "2026-04-13T15:15:09.635Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-09T02:25:04.372Z"}, "affected": [{"vendor": "oliverfriedmann", "product": "Ziggeo", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wp_ajax_ziggeo_ajax handler only verifies a nonce (check_ajax_referer) but performs no capability checks via current_user_can(). Furthermore, the nonce ('ziggeo_ajax_nonce') is exposed to all logged-in users on every page via the wp_head and admin_head hooks . This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke multiple administrative operations including: saving arbitrary translation strings (translations_panel_save_strings via update_option('ziggeo_translations')), creating/updating/deleting event templates (event_editor_save_template/update_template/remove_template via update_option('ziggeo_events')), modifying SDK application settings (sdk_applications operations), and managing notifications (notification_handler via update_option('ziggeo_notifications'))."}], "title": "Ziggeo <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via 'ziggeo_ajax' AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/15477c00-0764-4850-8bce-d65b6b1cbe4c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/core/ajax.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/core/ajax.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_translations_ajax.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_translations_ajax.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_editor_events_ajax.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_editor_events_ajax.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_sdk_ajax.php#L8"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_sdk_ajax.php#L8"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/core/header.php#L67"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/core/header.php#L67"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3494290%40ziggeo&new=3494290%40ziggeo&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2026-04-08T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4124", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:07:50.969198Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:15:09.635Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4124", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:07:50.969198Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:11:56.453Z"}}], "cna": {"title": "Ziggeo <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via 'ziggeo_ajax' AJAX Action", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "oliverfriedmann", "product": "Ziggeo", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-08T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/15477c00-0764-4850-8bce-d65b6b1cbe4c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/core/ajax.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/core/ajax.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_translations_ajax.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_translations_ajax.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_editor_events_ajax.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_editor_events_ajax.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_sdk_ajax.php#L8"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_sdk_ajax.php#L8"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/core/header.php#L67"}, {"url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/core/header.php#L67"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3494290%40ziggeo&new=3494290%40ziggeo&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wp_ajax_ziggeo_ajax handler only verifies a nonce (check_ajax_referer) but performs no capability checks via current_user_can(). Furthermore, the nonce ('ziggeo_ajax_nonce') is exposed to all logged-in users on every page via the wp_head and admin_head hooks . This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke multiple administrative operations including: saving arbitrary translation strings (translations_panel_save_strings via update_option('ziggeo_translations')), creating/updating/deleting event templates (event_editor_save_template/update_template/remove_template via update_option('ziggeo_events')), modifying SDK application settings (sdk_applications operations), and managing notifications (notification_handler via update_option('ziggeo_notifications'))."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-09T02:25:04.372Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4124", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:15:09.635Z", "dateReserved": "2026-03-13T13:43:23.239Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-09T02:25:04.372Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wp_ajax_ziggeo_ajax handler only verifies a nonce (check_ajax_referer) but performs no capability checks via current_user_can(). Furthermore, the nonce ('ziggeo_ajax_nonce') is exposed to all logged-in users on every page via the wp_head and admin_head hooks . This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke multiple administrative operations including: saving arbitrary translation strings (translations_panel_save_strings via update_option('ziggeo_translations')), creating/updating/deleting event templates (event_editor_save_template/update_template/remove_template via update_option('ziggeo_events')), modifying SDK application settings (sdk_applications operations), and managing notifications (notification_handler via update_option('ziggeo_notifications'))."}], "id": "CVE-2026-4124", "lastModified": "2026-04-24T18:03:42.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-09T04:17:14.467", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_editor_events_ajax.php#L13"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_sdk_ajax.php#L8"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/admin/page_translations_ajax.php#L13"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/core/ajax.php#L31"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ziggeo/tags/3.1.1/core/header.php#L67"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_editor_events_ajax.php#L13"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_sdk_ajax.php#L8"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/admin/page_translations_ajax.php#L13"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/core/ajax.php#L31"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ziggeo/trunk/core/header.php#L67"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3494290%40ziggeo&new=3494290%40ziggeo&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/15477c00-0764-4850-8bce-d65b6b1cbe4c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Ziggeo", "source": "cna", "vendor": "oliverfriedmann"}, "product": "ziggeo", "vendor": "oliverfriedmann"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-09T04:22:47.440389+00:00", "value": {"mitigation_remediation": ["Upgrade the Ziggeo plugin to version 3.2 or later, which adds proper capability checks to the AJAX handler.", "If an upgrade cannot be performed, restrict subscriber access to the wp_ajax_ziggeo_ajax endpoint using a role\u2011management solution or custom code.", "Remove the 'ziggeo_ajax_nonce' from the wp_head and admin_head hooks so that the nonce is not exposed to all users.", "Verify that future releases enforce capability checks before processing AJAX requests.", "Monitor the WordPress options table for unexpected changes to ziggeo_* options and alert administrators."], "summary": {"action": "Patch", "impact": "Privilege Escalation leading to arbitrary configuration changes"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Ziggeo plugin installed from oliverfriedmann, specifically all releases up to version 3.1.1, are affected. Any site running this plugin is therefore exposed.", "description_and_impact": "The Ziggeo WordPress plugin suffers from a missing authorization check in its AJAX handler. The handler only verifies a nonce and does not verify that the caller has the required capability. Because the nonce is exposed to all logged\u2011in users via the page head, any authenticated user with a Subscriber role or higher can invoke the wp_ajax_ziggeo_ajax action and carry out administrative changes such as modifying translation strings, creating or deleting event templates, altering SDK settings and changing notification options. This is a classic case of CWE\u2011862. The impact is that attackers can alter the plugin\u2019s configuration and content, potentially disrupting service or user experience.", "risk_and_exploitability": "The CVSS score is 5.4, indicating medium severity. The attack requires authentication but does not need administrator privileges; a subscriber is sufficient. The nonce is publicly exposed, so an attacker can construct an AJAX POST to /wp-admin/admin-ajax.php with action=ziggeo_ajax and the required parameters. Because no capability check is performed, the request succeeds and updates the database. EPSS data is not available and the issue is not listed in the CISA KEV catalog, but the potential for configuration damage warrants immediate remediation."}}}}, "created": "2026-04-09T08:15:48.194109+00:00", "updated": "2026-04-09T08:25:14.760108+00:00", "vendors": ["oliverfriedmann", "oliverfriedmann$PRODUCT$ziggeo", "wordpress", "wordpress$PRODUCT$wordpress"]}