What the vulnerability does
01Description
The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_frontend_save' AJAX endpoint in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's css setting.
Explanation of Vulnerability in Simple Terms
02Summary
Live CSS Preview versions 2.1.4 and earlier lack proper authorization checks, allowing authenticated users with low privileges to modify site content or styling without appropriate permission controls. An attacker with a basic user account can make unauthorized changes that affect the site's appearance or functionality. Update to a version newer than 2.1.4 to restore proper access restrictions.
What an attacker can do
03Attacker Capabilities
Modify site content or styling without proper authorization as a low-privilege authenticated user.
Potential impact on your site
04Site Impact
Unauthorized users can alter site appearance or content, potentially defacing pages or injecting malicious styling.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account with low-level privileges on the site.
Key dates
06Disclosure timeline
December 5, 2025
CVE published
April 8, 2026
Record updated