Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the downgrade_jquery_version() function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to downgrade the site-wide jQuery version from 3.7.1 to the legacy 1.12.4-wp release, which has knowns security vulnerabilities.
AnalysisAI
Unauthorized jQuery downgrade in the Enable jQuery Migrate Helper WordPress plugin (all versions ≤1.4.1) allows any authenticated Subscriber-level user to replace the site-wide jQuery 3.7.1 with the legacy 1.12.4-wp release, which carries known security vulnerabilities. The root cause is a missing authorization check in the downgrade_jquery_version() function, which validates a nonce but never verifies user capabilities (CWE-862). No public exploit exists and CISA has not added this to KEV; however, the indirect impact is significant because a successful downgrade introduces a vulnerable jQuery version that could serve as a stepping stone for further exploitation of other weaknesses.
Technical ContextAI
The Enable jQuery Migrate Helper WordPress plugin provides site administrators a compatibility bridge between legacy jQuery code and modern jQuery releases. The affected function downgrade_jquery_version() - defined at class-jquery-migrate-helper.php line 225 and referenced at line 256 - uses WordPress nonce verification (wp_verify_nonce) as its sole authorization gate. WordPress nonces prevent CSRF but do not enforce privilege separation; capability checks (current_user_can()) are the correct mechanism for restricting privileged actions. CWE-862 (Missing Authorization) captures exactly this pattern: authentication is present but authorization is absent. The practical consequence is that the function can be invoked by any authenticated user regardless of role - Subscriber through Administrator - causing a site-wide regression from jQuery 3.7.1 to jQuery 1.12.4-wp, a legacy release with documented security issues. CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N reflects network-reachable exploitation, low complexity, low privilege requirement, and high integrity impact with no confidentiality or availability effect in isolation.
RemediationAI
The NVD references include both the 1.4.1 tagged release and the trunk branch of the plugin repository (plugins.trac.wordpress.org/browser/enable-jquery-migrate-helper/trunk/class-jquery-migrate-helper.php), suggesting an upstream fix has been committed to trunk, but a specifically versioned patched release was not confirmed in the available input data - administrators should check the WordPress plugin repository for an update released after 1.4.1 and apply it immediately. As a compensating control while awaiting a confirmed patched release, restrict WordPress user registration to prevent creation of Subscriber-level accounts by untrusted parties (Settings → General → uncheck 'Anyone can register'). Alternatively, a WAF rule blocking POST requests to the wp-admin AJAX endpoint targeting the downgrade action can limit exposure. Disabling the plugin entirely eliminates the attack surface at the cost of losing jQuery migrate compatibility tooling. The Wordfence advisory at wordfence.com/threat-intel/vulnerabilities/id/1a74d5f4-1dd8-4d49-b4ce-8ba7ac9cbcc7 should be monitored for patch version confirmation.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32099
GHSA-hcmf-56qp-ghh2