CVE-2026-4297 newscred CVE debrief

Who should care

WordPress site administrators and owners using the Welcome Software Publishing plugin should be aware of this vulnerability and take immediate action to protect their sites. This vulnerability can be exploited by authenticated attackers with Subscriber-level access and above, making it a significant risk for sites with multiple users or those that allow user registration.

Technical summary

The vulnerability in the Welcome Software Publishing plugin for WordPress is caused by a missing capability check in the nc_setOption() function. This function is exposed via the nc.setOption XML-RPC method and allows authenticated attackers to update arbitrary WordPress options. The function uses $wp_xmlrpc_server->login() to authenticate users but does not perform any authorization checks, such as current_user_can('manage_options'). This allows attackers with Subscriber-level access and above to exploit the vulnerability. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

High priority should be given to updating the Welcome Software Publishing plugin to a version that fixes this vulnerability. Site administrators should also review their user accounts and ensure that only authorized users have elevated privileges.

Recommended defensive actions

• Update the Welcome Software Publishing plugin to the latest version.
• Review user accounts and ensure that only authorized users have elevated privileges.
• Monitor site activity for suspicious XML-RPC requests.
• Consider limiting XML-RPC access to only trusted IP addresses.
• Regularly review and update WordPress and its plugins.

Evidence notes

The CVE record for CVE-2026-4297 was published on June 24, 2026, and modified on June 25, 2026. The vulnerability was reported by [email protected] and has a CVSS score of 8.8. The NVD detail page and CVE record provide further information about the vulnerability.

Official resources