HIGH
newscred
CVE published 2026-06-24
CVE-2026-4297
The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. This vulnerability, CVE-2026-4297, is due to a missing capability check in the nc_setOption() function, which is exposed via the nc.setOption XML-RPC method. The function authenticates the user via $wp_xmlrpc_server->login() but does not perform any authorization check [truncated]