The News Element Elementor Blog Magazine plugin for WordPress contains a missing capability check and nonce verification on the 'ne_clean_data' AJAX action. Because of this omission, any authenticated user with subscriber-level access or higher can trigger the action to truncate eight core WordPress database tables – including posts, comments, terms, term_relationships, term_taxonomy, postmeta, commentmeta, and termmeta – and delete the entire uploads directory. The result is a complete loss of website content and media, compromising the integrity and availability of the site. This flaw is a classic example of Missing Authorization (CWE-862).

The vendor is WebAngon and the affected product is the News Element Elementor Blog Magazine WordPress plugin. All releases up to and including version 1.0.8 are impacted. If you are running 1.0.8 or an earlier release, the vulnerability is present.

The CVSS base score of 5.4 indicates a medium severity vulnerability. The EPSS score of less than 1% shows the probability of exploitation is very low in the current landscape, and the vulnerability is not listed in the CISA KEV catalog. However, because the attack requires only authenticated subscriber access, which many sites grant to regular users, an attacker who has logged into the site can easily exploit the flaw without further credential compromise. Once exploited, the attacker can cause irreversible data loss, so the risk to an organization can be high if the site hosts critical content.