CVE-2026-1930 - Vulnerability Details

- Emailchef <= 3.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion

Description

The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the page_options_ajax_disconnect() function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's settings via the 'emailchef_disconnect' AJAX action.

Published: 2026-04-22

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Emailchef WordPress plugin contains a missing capability check in the page_options_ajax_disconnect() routine. As a result, any authenticated user with Subscriber level permissions or higher can invoke the emailchef_disconnect AJAX action and delete the plugin’s configuration data, which may break email functionality and cause service disruption. This flaw is a classic authorization bypass, classified as CWE-862, and it does not allow exploitation to execute arbitrary code or gain higher privileges. The primary impact is loss of configuration integrity and potential downtime for sites relying on Emailchef for email handling.

Affected Systems

The vulnerability affects all releases of the Emailchef plugin from the earliest version through 3.5.1 released by the vendor hanicker:Emailchef. Systems running any of these versions on WordPress are exposed unless the plugin is removed or updated to a version later than 3.5.1.

Risk and Exploitability

The CVSS score for this issue is 4.3, placing it in the medium range. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need an authenticated session and Subscriber or higher access, which is relatively common in many WordPress sites. While the vulnerability does not provide direct code execution, deletion of configuration may lead to service disruption. Given the available attack vector, administrators should treat this issue as a priority to prevent service disruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

hanicker

Emailchef

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.5.1

No data.

Vendor Product Confidence Versions

Hanicker

Emailchef

100%

Version	Status	Scheme	Platform
`[0,3.5.1]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Emailchef plugin to a version newer than 3.5.1 where the missing capability check has been restored.
If an update is not immediately possible, temporarily remove or deactivate the Emailchef plugin until a patch can be applied.
Review and tighten user role capabilities so that Subscriber or lower users cannot access AJAX endpoints that modify plugin settings; consider revoking emailchef_disconnect access from these roles.
Apply site‑wide security monitoring to detect unexpected AJAX traffic targeting Emailchef and investigate any anomalies promptly.

Generated by OpenCVE AI on April 22, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/emailchef/tags/3.5.1/admin/class-emailchef-admin.php#L121
https://plugins.trac.wordpress.org/browser/emailchef/tags/3.5.1/admin/class-emailchef-admin.php#L200
https://plugins.trac.wordpress.org/browser/emailchef/trunk/admin/class-emailchef-admin.php#L121
https://plugins.trac.wordpress.org/browser/emailchef/trunk/admin/class-emailchef-admin.php#L200
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3474353%40emailchef&new=3474353%40emailchef&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/3ae02595-17f0-472d-bc4f-6169cce7a583?source=cve

History

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hanicker Hanicker emailchef Wordpress Wordpress wordpress
Vendors & Products		Hanicker Hanicker emailchef Wordpress Wordpress wordpress

Wed, 22 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
Description		The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the page_options_ajax_disconnect() function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's settings via the 'emailchef_disconnect' AJAX action.
Title		Emailchef <= 3.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/emailchef/tags/3.5.1/admin/class-emailchef-admin.php#L121 https://plugins.trac.wordpress.org/browser/emailchef/tags/3.5.1/admin/class-emailchef-admin.php#L200 https://plugins.trac.wordpress.org/browser/emailchef/trunk/admin/class-emailchef-admin.php#L121 https://plugins.trac.wordpress.org/browser/emailchef/trunk/admin/class-emailchef-admin.php#L200 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3474353%40emailchef&new=3474353%40emailchef&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/3ae02595-17f0-472d-bc4f-6169cce7a583?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Hanicker Emailchef

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-22T09:27:19.900Z

Updated: 2026-04-22T13:45:47.683Z

Reserved: 2026-02-04T20:54:31.865Z

Link: CVE-2026-1930

Vulnrichment

Updated: 2026-04-22T13:45:40.317Z

NVD

Status : Received

Published: 2026-04-22T10:16:51.000

Modified: 2026-04-22T10:16:51.000

Link: CVE-2026-1930

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T11:43:42Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object