Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AV:N and PR:N confirmed by wp_ajax_nopriv_* registration; I:L for option/transient deletion only; no code execution, credential exposure, or persistent unavailability.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
The Fense Proxy & VPN Blocker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce validation on the fense_bpvt_save_settings() function in versions up to, and including, 3.0.1. The callback is registered to both wp_ajax_* and wp_ajax_nopriv_* hooks and unconditionally calls delete_option() on four plugin options and delete_transient() on three transients tied to the plugin's API key cache and settings. This makes it possible for unauthenticated attackers to delete plugin options and transients, effectively resetting the plugin's API key/data cache and forcing the plugin to refetch state.
AnalysisAI
Unauthenticated settings reset in the Fense Proxy & VPN Blocker WordPress plugin (versions up to and including 3.0.1) allows any remote attacker to wipe the plugin's API key cache and configuration by invoking an unprotected AJAX endpoint. The fense_bpvt_save_settings() function is registered to both wp_ajax_* and wp_ajax_nopriv_* hooks without any capability check or nonce validation, meaning it is reachable without authentication and calls delete_option() and delete_transient() unconditionally on plugin-critical data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Fense Proxy & VPN Blocker plugin must be installed and active on the target WordPress site in a version at or below 3.0.1. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) yields a 5.3 Medium score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker wishing to bypass a site's VPN or proxy detection sends a single unauthenticated HTTP POST request to wp-admin/admin-ajax.php with the action parameter set to the registered hook name for fense_bpvt_save_settings. The function executes without any authorization check, deletes the plugin's stored API key and cached detection data, and forces the plugin into a degraded state where proxy and VPN detection is temporarily inactive until the plugin refetches its configuration. … |
| Remediation | Update the Fense Proxy & VPN Blocker plugin to version 3.0.2 or later, which introduces the corrected AJAX handler as confirmed by the WordPress plugin repository at https://plugins.trac.wordpress.org/browser/fense-block-vpn-proxy/tags/3.0.2/includes/system/header-code.php. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45126
GHSA-56hc-jghx-566j