Skip to main content

Fense Proxy VPN Blocker EUVDEUVD-2026-45126

| CVE-2026-8616 MEDIUM
Missing Authorization (CWE-862)
2026-07-17 Wordfence GHSA-56hc-jghx-566j
5.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

AV:N and PR:N confirmed by wp_ajax_nopriv_* registration; I:L for option/transient deletion only; no code execution, credential exposure, or persistent unavailability.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 04:21 vuln.today
CVE Published
Jul 17, 2026 - 02:31 cve.org
MEDIUM 5.3

DescriptionNVD

The Fense Proxy & VPN Blocker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce validation on the fense_bpvt_save_settings() function in versions up to, and including, 3.0.1. The callback is registered to both wp_ajax_* and wp_ajax_nopriv_* hooks and unconditionally calls delete_option() on four plugin options and delete_transient() on three transients tied to the plugin's API key cache and settings. This makes it possible for unauthenticated attackers to delete plugin options and transients, effectively resetting the plugin's API key/data cache and forcing the plugin to refetch state.

AnalysisAI

Unauthenticated settings reset in the Fense Proxy & VPN Blocker WordPress plugin (versions up to and including 3.0.1) allows any remote attacker to wipe the plugin's API key cache and configuration by invoking an unprotected AJAX endpoint. The fense_bpvt_save_settings() function is registered to both wp_ajax_* and wp_ajax_nopriv_* hooks without any capability check or nonce validation, meaning it is reachable without authentication and calls delete_option() and delete_transient() unconditionally on plugin-critical data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site with vulnerable Fense plugin
Delivery
Send unauthenticated POST to wp-admin/admin-ajax.php
Exploit
Trigger fense_bpvt_save_settings() with no authorization check
Install
delete_option() removes API key and settings
C2
delete_transient() clears detection cache
Execute
Plugin enters degraded state, VPN/proxy blocking inactive
Impact
Attacker accesses site through anonymizing proxy undetected

Vulnerability AssessmentAI

Exploitation The Fense Proxy & VPN Blocker plugin must be installed and active on the target WordPress site in a version at or below 3.0.1. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) yields a 5.3 Medium score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker wishing to bypass a site's VPN or proxy detection sends a single unauthenticated HTTP POST request to wp-admin/admin-ajax.php with the action parameter set to the registered hook name for fense_bpvt_save_settings. The function executes without any authorization check, deletes the plugin's stored API key and cached detection data, and forces the plugin into a degraded state where proxy and VPN detection is temporarily inactive until the plugin refetches its configuration. …
Remediation Update the Fense Proxy & VPN Blocker plugin to version 3.0.2 or later, which introduces the corrected AJAX handler as confirmed by the WordPress plugin repository at https://plugins.trac.wordpress.org/browser/fense-block-vpn-proxy/tags/3.0.2/includes/system/header-code.php. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45126 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy