What the vulnerability does
01Description
The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()` functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disable all weather blocks and purge all weather cache transients. The nonce required for these actions is exposed to all authenticated users via `wp_localize_script()` on the `init` hook.
Explanation of Vulnerability in Simple Terms
02Summary
The Location Weather plugin for WordPress does not properly check user permissions before allowing modifications to certain settings. A logged-in user with low privileges can alter plugin configuration without authorization. This affects versions up to 3.0.2. Site administrators should update the plugin to a version newer than 3.0.2.
What an attacker can do
03Attacker Capabilities
A logged-in user can modify plugin settings they should not have access to.
Potential impact on your site
04Site Impact
Unauthorized users may change weather widget settings, affecting site appearance or functionality.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress account (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
May 22, 2026
CVE published
May 22, 2026
Record updated