CVE-2026-1944 MEDIUM

CVE-2026-1944: CallbackKiller service widget <= 1.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Update

Vendor Krellbat

Product CallbackKiller service widget

Weakness CWE-862 · Missing authorization

Published February 14, 2026

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The CallbackKiller service widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cbk_save() function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to modify the plugin's site ID settings via the 'cbk_save_v1' AJAX action.

Explanation of Vulnerability in Simple Terms

02Summary

The CallbackKiller service widget versions 1.2 and earlier lack proper authorization checks, allowing unauthenticated attackers to modify data via the network. No authentication or user interaction is required to exploit this vulnerability. The impact is limited to data integrity; confidentiality and availability are not affected.

What an attacker can do

03Attacker Capabilities

Modify data in the CallbackKiller service widget without authentication.

Potential impact on your site

04Site Impact

Attackers can alter widget configuration or data without logging in, potentially disrupting service functionality.

Conditions required to exploit

05Prerequisites

Network access to the vulnerable service; no authentication required.

Key dates

06Disclosure timeline

February 14, 2026 CVE published

April 8, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-1944 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities