CVE-2026-7249 - Vulnerability Details

- Location Weather <= 3.0.2 - Missing Authorization to Authenticated (Contributor+) Block Settings Modification and Cache Purging

Description

The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()` functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disable all weather blocks and purge all weather cache transients. The nonce required for these actions is exposed to all authenticated users via `wp_localize_script()` on the `init` hook.

Published: 2026-05-22

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Location Weather plugin for WordPress allows authenticated contributors and higher to change block settings and purge all weather cache transients without proper capability checks. The plugin exposes a nonce to all logged‑in users through wp_localize_script, enabling attackers to craft requests that bypass the usual permission requirements. This flaw can be exploited by any contributor or higher builder to disable weather interfaces on the site and clear all cached data, potentially disrupting user experience and rendering the plugin non‑functional.

Affected Systems

WordPress sites that have the Location Weather plugin installed, version 3.0.2 or earlier, from the vendor shapedplugin: Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget.

Risk and Exploitability

The vulnerability has a CVSS score of 4.3, indicating low severity, and no EPSS data is available. It is not listed in the CISA KEV catalog. Attackers must first be authenticated with Contributor role or higher, then they can submit requests using the exposed nonce. The impact is limited to block configuration and cache but can effectively disable the plugin’s visual features. Even though the likelihood of exploitation is not quantified, the low CVSS suggests it is not a high‑priority target but should still be remediated to prevent site disruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

shapedplugin

Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.0.2

No data.

Vendor Product Confidence Versions

Shapedplugin

Location Weather – Wordpress Weather Forecast, Aqi, Temperature And Weather Widget

100%

Version	Status	Scheme	Platform
`[0,3.0.2]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Location Weather plugin to version 3.0.3 or later, which addresses the missing capability checks on splw_update_block_options() and lwp_clean_weather_transients()
If an update is not immediately possible, remove or disable the plugin to eliminate the vulnerable functionality from the site
Limit Contributor and higher roles to only those users who need to manage blocks, and audit existing contributors to ensure only trusted users retain that capability

Generated by OpenCVE AI on May 22, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.2/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L256
https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.2/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L331
https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.3/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L256
https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.3/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L332
https://wordpress.org/plugins/location-weather/
https://www.wordfence.com/threat-intel/vulnerabilities/id/d472011d-1623-4791-9d56-715d90fe0469?source=cve

History

Fri, 22 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 22 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Shapedplugin Shapedplugin location Weather – Wordpress Weather Forecast, Aqi, Temperature And Weather Widget Wordpress Wordpress wordpress
Vendors & Products		Shapedplugin Shapedplugin location Weather – Wordpress Weather Forecast, Aqi, Temperature And Weather Widget Wordpress Wordpress wordpress

Fri, 22 May 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()` functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disable all weather blocks and purge all weather cache transients. The nonce required for these actions is exposed to all authenticated users via `wp_localize_script()` on the `init` hook.
Title		Location Weather <= 3.0.2 - Missing Authorization to Authenticated (Contributor+) Block Settings Modification and Cache Purging
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.2/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L256 https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.2/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L331 https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.3/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L256 https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.3/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L332 https://wordpress.org/plugins/location-weather/ https://www.wordfence.com/threat-intel/vulnerabilities/id/d472011d-1623-4791-9d56-715d90fe0469?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Shapedplugin Location Weather – Wordpress Weather Forecast, Aqi, Temperature And Weather Widget

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-22T03:39:22.232Z

Updated: 2026-05-22T18:37:22.642Z

Reserved: 2026-04-27T18:10:28.992Z

Link: CVE-2026-7249

Vulnrichment

Updated: 2026-05-22T18:37:19.134Z

NVD

Status : Received

Published: 2026-05-22T05:16:27.623

Modified: 2026-05-22T05:16:27.623

Link: CVE-2026-7249

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-22T12:37:57Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object