Skip to main content

Fense Proxy Vpn Blocker

1 CVEs product

Monthly

CVE-2026-8616 MEDIUM This Month

Unauthenticated settings reset in the Fense Proxy & VPN Blocker WordPress plugin (versions up to and including 3.0.1) allows any remote attacker to wipe the plugin's API key cache and configuration by invoking an unprotected AJAX endpoint. The fense_bpvt_save_settings() function is registered to both wp_ajax_* and wp_ajax_nopriv_* hooks without any capability check or nonce validation, meaning it is reachable without authentication and calls delete_option() and delete_transient() unconditionally on plugin-critical data. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack is trivial to execute and carries a meaningful functional consequence: disabling the site's VPN and proxy detection capability.

WordPress Authentication Bypass Fense Proxy Vpn Blocker
NVD
CVSS 3.1
5.3
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated settings reset in the Fense Proxy & VPN Blocker WordPress plugin (versions up to and including 3.0.1) allows any remote attacker to wipe the plugin's API key cache and configuration by invoking an unprotected AJAX endpoint. The fense_bpvt_save_settings() function is registered to both wp_ajax_* and wp_ajax_nopriv_* hooks without any capability check or nonce validation, meaning it is reachable without authentication and calls delete_option() and delete_transient() unconditionally on plugin-critical data. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack is trivial to execute and carries a meaningful functional consequence: disabling the site's VPN and proxy detection capability.

WordPress Authentication Bypass Fense Proxy Vpn Blocker
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy