Description
The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webpurify_save_options' function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to change plugin settings.
Published: 2026-02-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of plugin settings
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises because the WebPurify Profanity Filter plugin fails to verify user capabilities before executing its settings‐update function. The lack of a capability check allows anyone who can submit a request to the "webpurify_save_options" endpoint to alter configuration options. Based on the description, it is inferred that the attack vector is an unauthenticated HTTP request to this endpoint, which can enable or disable the profanity filter, change block thresholds, or inject malicious settings, effectively bypassing content moderation. This flaw is a classic missing authorization issue, classified under CWE-862.

Affected Systems

All releases of the WordPress plugin WebPurify Profanity Filter up to and including version 4.0.2 are affected. No other products are listed as impacted.

Risk and Exploitability

The severity rating of 6.5 on the CVSS scale indicates a moderate risk, but the EPSS value of less than 1% suggests that real‑world exploitation is rare as of the latest data. The vulnerability is not yet present in the CISA KEV catalog, meaning it has not been reported as a widely observed exploit. Based on the description, it is inferred that an attacker can trigger it with an unauthenticated HTTP request to the option‑saving handler; no local access is required, and the window of opportunity is open as long as the old version remains in place.

Generated by OpenCVE AI on April 15, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WebPurify Profanity Filter plugin to the latest version that includes the capability check for the save options handler.
  • If an immediate upgrade is not possible, temporarily disable the plugin or remove its settings page from the administration interface to prevent unauthenticated changes.
  • Introduce a monitoring rule or audit log alert for writes to the plugin options to detect any unauthorized modifications.

Generated by OpenCVE AI on April 15, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webpurify_save_options' function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to change plugin settings.
Title WebPurify Profanity Filter <= 4.0.2 - Missing Authorization to Unauthenticated Plugin Settings Change via webpurify_save_options
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:27.628Z

Reserved: 2026-01-02T14:38:38.219Z

Link: CVE-2026-0572

cve-icon Vulnrichment

Updated: 2026-02-04T16:49:02.829Z

cve-icon NVD

Status : Deferred

Published: 2026-02-04T09:15:51.970

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0572

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:30:13Z

Weaknesses