CVE-2026-7249 MEDIUM

CVE-2026-7249: Location Weather <= 3.0.2 - Missing Authorization to Authenticated (Contributor+) Block Settings Modification and Cache Purging

Vendor Shapedplugin
Product Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget
Weakness CWE-862 · Missing authorization
Published May 22, 2026
Last update May 22, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()` functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disable all weather blocks and purge all weather cache transients. The nonce required for these actions is exposed to all authenticated users via `wp_localize_script()` on the `init` hook.

Explanation of Vulnerability in Simple Terms

02Summary

The Location Weather plugin for WordPress does not properly check user permissions before allowing modifications to certain settings. A logged-in user with low privileges can alter plugin configuration without authorization. This affects versions up to 3.0.2. Site administrators should update the plugin to a version newer than 3.0.2.

What an attacker can do

03Attacker Capabilities

A logged-in user can modify plugin settings they should not have access to.

Potential impact on your site

04Site Impact

Unauthorized users may change weather widget settings, affecting site appearance or functionality.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress account (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

May 22, 2026 CVE published
May 22, 2026 Record updated