CVE-2026-3279 clorith CVE debrief

Who should care

WordPress site administrators using the Enable jQuery Migrate Helper plugin, security teams managing WordPress deployments, and developers maintaining WordPress plugins with administrative functionality

Technical summary

The Enable jQuery Migrate Helper WordPress plugin versions 1.4.1 and below fail to implement proper capability checks in the `downgrade_jquery_version()` function. While the function includes nonce verification, it does not verify that the requesting user has administrative privileges. This allows any authenticated user, including those with Subscriber role, to trigger a downgrade of the site's jQuery version from the current 3.7.1 to the legacy 1.12.4-wp release. The legacy jQuery version contains multiple known security vulnerabilities, effectively reintroducing security risks that the current version addresses. The vulnerability is classified as CWE-862 (Missing Authorization) with a CVSS 3.1 score of 6.5 (Medium severity).

Defensive priority

medium

Recommended defensive actions

• Update the Enable jQuery Migrate Helper plugin to version 1.4.2 or later when available
• Apply capability checks to the `downgrade_jquery_version()` function to restrict access to administrators
• Review all AJAX handlers in the plugin for missing capability checks
• Consider removing or disabling the Enable jQuery Migrate Helper plugin if jQuery migration assistance is no longer required
• Monitor for unexpected jQuery version downgrades in WordPress site configurations
• Implement least-privilege access controls for WordPress user accounts

Evidence notes

The vulnerability exists in the `downgrade_jquery_version()` function where nonce verification is present but no capability check is performed. Source code references confirm the vulnerable code paths in both the tagged 1.4.1 release and trunk versions. The Wordfence advisory provides additional technical context on the authentication requirements and impact.

Official resources