Description
The CallbackKiller service widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cbk_save() function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to modify the plugin's site ID settings via the 'cbk_save_v1' AJAX action.
Published: 2026-02-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Configuration Change
Action: Patch Now
AI Analysis

Impact

The CallbackKiller service widget, a WordPress plugin, suffers from a missing capability check in the cbk_save() function across all versions up to 1.2. This flaw allows any visitor to invoke the Ajax endpoint cbk_save_v1 and alter the plugin’s site ID settings without authentication, effectively modifying configuration data. The vulnerability enables unauthorized data modification but does not provide immediate code execution.

Affected Systems

The vulnerable product is the CallbackKiller service widget developed by krellbat for WordPress. All releases with a version number of 1.2 or lower are affected. WordPress sites that have installed or are still using any of these versions are at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% reflects a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An unauthenticated attacker can directly send an Ajax request to the cbk_save_v1 endpoint, bypassing any capability checks, because the plugin lacks proper authorization logic. The attack vector is publicly accessible through the target site’s URL.

Generated by OpenCVE AI on April 15, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CallbackKiller service widget to the newest release that includes a proper capability check or remove the plugin if no update is available.
  • If an update is not an option, modify the cbk_save() function (or the Ajax handler) to include a capability check such as current_user_can('manage_options') and a nonce validation to ensure only authorized users can invoke the action.
  • As a last resort, disable the widget entirely or block access to the Ajax endpoint using a firewall rule or .htaccess restrictions to prevent unauthenticated callers.

Generated by OpenCVE AI on April 15, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Krellbat
Krellbat callbackkiller Service Widget
Wordpress
Wordpress wordpress
Vendors & Products Krellbat
Krellbat callbackkiller Service Widget
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description The CallbackKiller service widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cbk_save() function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to modify the plugin's site ID settings via the 'cbk_save_v1' AJAX action.
Title CallbackKiller service widget <= 1.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Krellbat Callbackkiller Service Widget
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:43.115Z

Reserved: 2026-02-04T21:35:36.617Z

Link: CVE-2026-1944

cve-icon Vulnrichment

Updated: 2026-02-18T20:35:07.978Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T07:16:12.150

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1944

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:30:10Z

Weaknesses