Description
The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wp_ajax_ziggeo_ajax handler only verifies a nonce (check_ajax_referer) but performs no capability checks via current_user_can(). Furthermore, the nonce ('ziggeo_ajax_nonce') is exposed to all logged-in users on every page via the wp_head and admin_head hooks . This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke multiple administrative operations including: saving arbitrary translation strings (translations_panel_save_strings via update_option('ziggeo_translations')), creating/updating/deleting event templates (event_editor_save_template/update_template/remove_template via update_option('ziggeo_events')), modifying SDK application settings (sdk_applications operations), and managing notifications (notification_handler via update_option('ziggeo_notifications')).
Published: 2026-04-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: Privilege Escalation leading to arbitrary configuration changes
Action: Patch
AI Analysis

Impact

The Ziggeo WordPress plugin suffers from a missing authorization check in its AJAX handler. The handler only verifies a nonce and does not verify that the caller has the required capability. Because the nonce is exposed to all logged‑in users via the page head, any authenticated user with a Subscriber role or higher can invoke the wp_ajax_ziggeo_ajax action and carry out administrative changes such as modifying translation strings, creating or deleting event templates, altering SDK settings and changing notification options. This is a classic case of CWE‑862. The impact is that attackers can alter the plugin’s configuration and content, potentially disrupting service or user experience.

Affected Systems

WordPress sites that have the Ziggeo plugin installed from oliverfriedmann, specifically all releases up to version 3.1.1, are affected. Any site running this plugin is therefore exposed.

Risk and Exploitability

The CVSS score is 5.4, indicating medium severity. The attack requires authentication but does not need administrator privileges; a subscriber is sufficient. The nonce is publicly exposed, so an attacker can construct an AJAX POST to /wp-admin/admin-ajax.php with action=ziggeo_ajax and the required parameters. Because no capability check is performed, the request succeeds and updates the database. EPSS data is not available and the issue is not listed in the CISA KEV catalog, but the potential for configuration damage warrants immediate remediation.

Generated by OpenCVE AI on April 9, 2026 at 04:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ziggeo plugin to version 3.2 or later, which adds proper capability checks to the AJAX handler.
  • If an upgrade cannot be performed, restrict subscriber access to the wp_ajax_ziggeo_ajax endpoint using a role‑management solution or custom code.
  • Remove the 'ziggeo_ajax_nonce' from the wp_head and admin_head hooks so that the nonce is not exposed to all users.
  • Verify that future releases enforce capability checks before processing AJAX requests.
  • Monitor the WordPress options table for unexpected changes to ziggeo_* options and alert administrators.

Generated by OpenCVE AI on April 9, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Oliverfriedmann
Oliverfriedmann ziggeo
Wordpress
Wordpress wordpress
Vendors & Products Oliverfriedmann
Oliverfriedmann ziggeo
Wordpress
Wordpress wordpress

Thu, 09 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Description The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wp_ajax_ziggeo_ajax handler only verifies a nonce (check_ajax_referer) but performs no capability checks via current_user_can(). Furthermore, the nonce ('ziggeo_ajax_nonce') is exposed to all logged-in users on every page via the wp_head and admin_head hooks . This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke multiple administrative operations including: saving arbitrary translation strings (translations_panel_save_strings via update_option('ziggeo_translations')), creating/updating/deleting event templates (event_editor_save_template/update_template/remove_template via update_option('ziggeo_events')), modifying SDK application settings (sdk_applications operations), and managing notifications (notification_handler via update_option('ziggeo_notifications')).
Title Ziggeo <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via 'ziggeo_ajax' AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Oliverfriedmann Ziggeo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-09T02:25:04.372Z

Reserved: 2026-03-13T13:43:23.239Z

Link: CVE-2026-4124

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T04:17:14.467

Modified: 2026-04-09T04:17:14.467

Link: CVE-2026-4124

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:14Z

Weaknesses