PatchSiren cyber security CVE debrief
CVE-2026-13250 solacewp CVE debrief
The Solace Extra plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 1.5.3. This allows unauthenticated attackers to permanently delete content previously imported via the Starter Template feature, including posts, pages, media attachments, WooCommerce products, taxonomy terms, and sitebuilder templates. The vulnerability is due to improper verification of user authorization. Administrators of WordPress sites using the Solace Extra plugin should verify their site's exposure and update to a patched version if necessary.
- Vendor
- solacewp
- Product
- Solace Extra
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Administrators of WordPress sites using the Solace Extra plugin should verify their site's exposure and update to a patched version if necessary. They should also review site content for unauthorized deletions and implement additional monitoring for suspicious activity.
Technical summary
The Solace Extra plugin for WordPress is vulnerable to authorization bypass due to improper verification of user authorization. This allows unauthenticated attackers to delete posts, pages, media attachments, WooCommerce products, taxonomy terms, and sitebuilder templates. The vulnerability is caused by the plugin not properly verifying that a user is authorized to perform an action. Evidence from Wordfence security reports and WordPress plugin repository indicates that unauthenticated attackers can permanently delete content previously imported via the Starter Template feature. The required nonce is emitted on every wp-admin page via wp_localize_script() hooked to admin_enqueue_scripts without a page guard, making it reachable by fully unauthenticated users. Defenders should verify the integrity of their site content and review logs for unauthorized deletions.
Defensive priority
Medium priority due to potential for site content deletion.
Recommended defensive actions
- Verify and update Solace Extra plugin to a patched version
- Review site content for unauthorized deletions
- Implement additional monitoring for suspicious activity
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The Solace Extra plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 1.5.3. Evidence from Wordfence security reports and WordPress plugin repository indicates that unauthenticated attackers can permanently delete content previously imported via the Starter Template feature. Defenders should verify the integrity of their site content and review logs for unauthorized deletions. The required nonce is emitted on every wp-admin page via wp_localize_script() hooked to admin_enqueue_scripts without a page guard, making it reachable by fully unauthenticated users.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T05:16:32.243Z and has not been modified since then.