Description
The Breaking News WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3. This is due to the brnwp_ajax_form AJAX endpoint lacking both authorization checks and CSRF verification, combined with insufficient path validation when the brnwp_theme option value is passed directly to an include() statement in the brnwp_show_breaking_news_wp() shortcode handler. While sanitize_text_field() is applied to user input, it does not strip directory traversal sequences (../). This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the brnwp_theme option with a directory traversal payload (e.g., ../../../../etc/passwd) and subsequently trigger file inclusion of arbitrary files on the server when the shortcode is rendered.
Published: 2026-04-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion enabling authenticated users to read arbitrary server files
Action: Upgrade plugin
AI Analysis

Impact

The Breaking News WP plugin suffers a Local File Inclusion (LFI) flaw that allows an authenticated user with Subscriber or higher access to supply a directory traversal payload. By manipulating the brnwp_theme option through the brnwp_ajax_form endpoint— which lacks both authorization checks and CSRF protection— an attacker can override the option value to a traversal string such as ../../../../etc/passwd and force the shortcode handler to include that file. The resulting data exposure is confined to the server file system and does not give direct code execution but does compromise confidentiality. This vulnerability is classified as CWE‑22, Local File Inclusion.

Affected Systems

WordPress sites running the Breaking News WP plugin version 1.3 or earlier are affected. The plugin is listed under the vendor doctorwp for the product Breaking News WP. No other software versions are presently affected by this issue.

Risk and Exploitability

The CVSS score of 6.5 places this flaw in the medium severity range. Exploitability is moderate because the attacker must be authenticated at the Subscriber level and must supply a path traversal string, yet no additional conditions such as network exposure or privilege escalation are required. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that no widely known exploits have been observed. An attacker could exploit the flaw by sending a crafted AJAX request to the brnwp_ajax_form endpoint and then viewing the resulting page that renders the malicious shortcode. The lack of CSRF checks makes the attack straightforward for anyone with site credentials.

Generated by OpenCVE AI on April 22, 2026 at 09:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Breaking News WP plugin to the latest release that addresses the LFI vulnerability
  • If upgrading is not immediately possible, remove all instances of the brnwp_show_breaking_news_wp shortcode from content to prevent file inclusion
  • Configure access control or a firewall rule to restrict the brnwp_ajax_form AJAX endpoint to Administrators only, blocking Subscriber‑level users from exploiting the path traversal

Generated by OpenCVE AI on April 22, 2026 at 09:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Doctorwp
Doctorwp breaking News Wp
Wordpress
Wordpress wordpress
Vendors & Products Doctorwp
Doctorwp breaking News Wp
Wordpress
Wordpress wordpress

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Breaking News WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3. This is due to the brnwp_ajax_form AJAX endpoint lacking both authorization checks and CSRF verification, combined with insufficient path validation when the brnwp_theme option value is passed directly to an include() statement in the brnwp_show_breaking_news_wp() shortcode handler. While sanitize_text_field() is applied to user input, it does not strip directory traversal sequences (../). This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the brnwp_theme option with a directory traversal payload (e.g., ../../../../etc/passwd) and subsequently trigger file inclusion of arbitrary files on the server when the shortcode is rendered.
Title Breaking News WP <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Local File Inclusion/Read
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Doctorwp Breaking News Wp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T07:45:33.984Z

Reserved: 2026-03-16T15:46:33.907Z

Link: CVE-2026-4280

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-22T09:16:25.310

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-4280

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:14Z

Weaknesses