PatchSiren cyber security CVE debrief
CVE-2026-7249 shapedplugin CVE debrief
CVE-2026-7249 affects the Location Weather WordPress plugin through 3.0.2. Authenticated users with Contributor-level access or higher can modify plugin state by calling exposed actions that lack capability checks, allowing them to disable weather blocks and purge weather cache transients. The issue is integrity-focused and scored medium severity (CVSS 4.3).
- Vendor
- shapedplugin
- Product
- Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-22
- Original CVE updated
- 2026-05-22
- Advisory published
- 2026-05-22
- Advisory updated
- 2026-05-22
Who should care
WordPress site owners and administrators running the Location Weather plugin, especially sites that grant Contributor-level accounts or other low-privilege authenticated users. Security teams should also care if the site uses weather blocks in production or relies on plugin caching behavior.
Technical summary
According to the supplied advisory text and linked code references, `splw_update_block_options()` and `lwp_clean_weather_transients()` do not enforce a capability check before processing requests. The nonce needed to reach these actions is exposed to authenticated users through `wp_localize_script()` on the `init` hook, so a logged-in Contributor-level user can invoke the affected functionality without elevated administrative permissions. The described impact is unauthorized modification of plugin data: disabling all weather blocks and clearing weather cache transients. The published CVSS vector is `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N`.
Defensive priority
Medium. The impact is limited to integrity changes in the plugin, but the weakness is reachable over the network by authenticated low-privilege users and can affect site behavior immediately.
Recommended defensive actions
- Update the Location Weather plugin to a version newer than 3.0.2 as soon as possible.
- Audit the site for any unexpected disabling of weather blocks or sudden cache/transient purges.
- Review WordPress role assignments; remove unnecessary Contributor-level accounts and enforce least privilege.
- Verify that plugin admin actions are protected by server-side capability checks and not only by nonces.
- Monitor application logs and WordPress activity for calls that match the affected plugin actions.
Evidence notes
The vulnerability description, CVSS vector, and CWE mapping are taken from the supplied NVD record and Wordfence-linked advisory context. The code references point to the relevant Location Weather plugin files in the WordPress plugin repository for versions 3.0.2 and 3.0.3, supporting the affected-version boundary and remediation context. The corpus identifies the product as the Location Weather plugin; vendor attribution is otherwise low-confidence in the provided metadata.
Official resources
Publicly disclosed on 2026-05-22 via the NVD record, based on a Wordfence-reported issue in the Location Weather WordPress plugin.