{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4280", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-16T15:46:33.907Z", "datePublished": "2026-04-22T07:45:33.984Z", "dateUpdated": "2026-04-22T07:45:33.984Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:33.984Z"}, "affected": [{"vendor": "doctorwp", "product": "Breaking News WP", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Breaking News WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3. This is due to the brnwp_ajax_form AJAX endpoint lacking both authorization checks and CSRF verification, combined with insufficient path validation when the brnwp_theme option value is passed directly to an include() statement in the brnwp_show_breaking_news_wp() shortcode handler. While sanitize_text_field() is applied to user input, it does not strip directory traversal sequences (../). This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the brnwp_theme option with a directory traversal payload (e.g., ../../../../etc/passwd) and subsequently trigger file inclusion of arbitrary files on the server when the shortcode is rendered."}], "title": "Breaking News WP <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Local File Inclusion/Read", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4772b482-f5e5-4707-b012-aca70fc89e49?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/breaking-news-wp/trunk/breaking-news.php#L85"}, {"url": "https://plugins.trac.wordpress.org/browser/breaking-news-wp/tags/1.3/breaking-news.php#L85"}, {"url": "https://plugins.trac.wordpress.org/browser/breaking-news-wp/trunk/breaking-news.php#L366"}, {"url": "https://plugins.trac.wordpress.org/browser/breaking-news-wp/tags/1.3/breaking-news.php#L366"}, {"url": "https://plugins.trac.wordpress.org/browser/breaking-news-wp/trunk/breaking-news.php#L372"}, {"url": "https://plugins.trac.wordpress.org/browser/breaking-news-wp/tags/1.3/breaking-news.php#L372"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Minh Toan"}], "timeline": [{"time": "2026-04-21T19:05:09.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Breaking News WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3. This is due to the brnwp_ajax_form AJAX endpoint lacking both authorization checks and CSRF verification, combined with insufficient path validation when the brnwp_theme option value is passed directly to an include() statement in the brnwp_show_breaking_news_wp() shortcode handler. While sanitize_text_field() is applied to user input, it does not strip directory traversal sequences (../). This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the brnwp_theme option with a directory traversal payload (e.g., ../../../../etc/passwd) and subsequently trigger file inclusion of arbitrary files on the server when the shortcode is rendered."}], "id": "CVE-2026-4280", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:25.310", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/breaking-news-wp/tags/1.3/breaking-news.php#L366"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/breaking-news-wp/tags/1.3/breaking-news.php#L372"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/breaking-news-wp/tags/1.3/breaking-news.php#L85"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/breaking-news-wp/trunk/breaking-news.php#L366"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/breaking-news-wp/trunk/breaking-news.php#L372"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/breaking-news-wp/trunk/breaking-news.php#L85"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4772b482-f5e5-4707-b012-aca70fc89e49?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Breaking News WP", "source": "cna", "vendor": "doctorwp"}, "product": "breaking_news_wp", "vendor": "doctorwp"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T09:38:39.735607+00:00", "value": {"mitigation_remediation": ["Upgrade the Breaking News WP plugin to the latest release that addresses the LFI vulnerability", "If upgrading is not immediately possible, remove all instances of the brnwp_show_breaking_news_wp shortcode from content to prevent file inclusion", "Configure access control or a firewall rule to restrict the brnwp_ajax_form AJAX endpoint to Administrators only, blocking Subscriber\u2011level users from exploiting the path traversal"], "summary": {"action": "Upgrade plugin", "impact": "Local File Inclusion enabling authenticated users to read arbitrary server files"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Breaking News WP plugin version 1.3 or earlier are affected. The plugin is listed under the vendor doctorwp for the product Breaking News WP. No other software versions are presently affected by this issue.", "description_and_impact": "The Breaking News WP plugin suffers a Local File Inclusion (LFI) flaw that allows an authenticated user with Subscriber or higher access to supply a directory traversal payload. By manipulating the brnwp_theme option through the brnwp_ajax_form endpoint\u2014 which lacks both authorization checks and CSRF protection\u2014 an attacker can override the option value to a traversal string such as ../../../../etc/passwd and force the shortcode handler to include that file. The resulting data exposure is confined to the server file system and does not give direct code execution but does compromise confidentiality. This vulnerability is classified as CWE\u201122, Local File Inclusion.", "risk_and_exploitability": "The CVSS score of 6.5 places this flaw in the medium severity range. Exploitability is moderate because the attacker must be authenticated at the Subscriber level and must supply a path traversal string, yet no additional conditions such as network exposure or privilege escalation are required. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that no widely known exploits have been observed. An attacker could exploit the flaw by sending a crafted AJAX request to the brnwp_ajax_form endpoint and then viewing the resulting page that renders the malicious shortcode. The lack of CSRF checks makes the attack straightforward for anyone with site credentials."}}}}, "created": "2026-04-22T09:45:13.083885+00:00", "updated": "2026-04-22T11:44:14.683541+00:00", "vendors": ["doctorwp", "doctorwp$PRODUCT$breaking_news_wp", "wordpress", "wordpress$PRODUCT$wordpress"]}