Emailchef WordPress Plugin CVE-2026-1930

| EUVD-2026-24718 MEDIUM
Missing Authorization (CWE-862)
2026-04-22 Wordfence GHSA-vf5m-3cj8-f27q
WordPress Authentication Bypass
4.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 22, 2026 - 13:09 vuln.today

DescriptionNVD

The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the page_options_ajax_disconnect() function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's settings via the 'emailchef_disconnect' AJAX action.

AnalysisAI

Emailchef WordPress plugin versions up to 3.5.1 allow authenticated attackers with Subscriber-level access to delete plugin settings via an unprotected AJAX action due to missing capability checks. The vulnerability enables unauthorized modification of plugin configuration without administrative privileges, affecting any WordPress site using the affected plugin versions. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-1930 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy