PatchSiren cyber security CVE debrief

CVE-2016-10148 Wordpress CVE debrief

CVE-2016-10148 is an access-control flaw in WordPress core’s wp_ajax_update_plugin handler. In affected versions before 4.6, the code called get_plugin_data before checking the update_plugins capability, which could let authenticated users access plugin information they should not have been able to read. NVD classifies affected WordPress versions through 4.5.5 and assigns a CVSS v3.0 score of 4.3 (MEDIUM). The record was published on 2017-01-18 and later modified on 2026-05-13; those dates reflect CVE record timing, not the original vulnerability introduction or fix date.

Vendor: Wordpress
Product: CVE-2016-10148
CVSS: MEDIUM 4.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-18
Original CVE updated: 2026-05-13
Advisory published: 2017-01-18
Advisory updated: 2026-05-13

Who should care

WordPress site administrators, hosting providers, plugin-security reviewers, and defenders responsible for access-control hardening should care most, especially if any legacy WordPress 4.5.x installations remain in service.

Technical summary

The issue is in wp-admin/includes/ajax-actions.php, where wp_ajax_update_plugin invoked get_plugin_data before validating the update_plugins capability. That ordering error meant an authenticated user could trigger the AJAX endpoint with a plugin parameter and obtain plugin data before the intended access check ran. The NVD weaknesses map to CWE-254 and CWE-284, and the official patch reference is WordPress core changeset 38168. The advisory is described as related to CVE-2016-6896.

Defensive priority

Medium. This is not a remote unauthenticated RCE issue, but it does affect authorization boundaries and can expose restricted plugin details to authenticated users. Patch legacy WordPress versions promptly; where patching is impossible, minimize privileged account sprawl and review any custom code that relies on AJAX authorization ordering.

Recommended defensive actions

Upgrade WordPress to a version newer than 4.6, or ensure all installations are at least beyond the vulnerable 4.5.5 range listed by NVD.
Confirm the wp-admin/includes/ajax-actions.php fix corresponding to core changeset 38168 is present in any maintained fork or backport.
Review authenticated user roles and remove unnecessary accounts that could reach admin-ajax.php endpoints.
Audit logs and access controls around admin-ajax.php for unusual plugin-data requests from low-privilege authenticated users.
Treat the issue as an authorization-control defect and verify similar patterns elsewhere in custom AJAX handlers: validate capability before loading sensitive data.

Evidence notes

Primary evidence comes from the NVD record, which states that wp_ajax_update_plugin in wp-admin/includes/ajax-actions.php called get_plugin_data before checking update_plugins, affecting WordPress through 4.5.5. The record links to the WordPress patch in changeset 38168, the issue tracker ticket 37490, and a third-party technical advisory. The CVE was published on 2017-01-18 and modified on 2026-05-13; those are record dates and should not be treated as the original vulnerability date.

Official resources

CVE-2016-10148 CVE record
CVE.org
CVE-2016-10148 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
Source reference
[email protected] - Issue Tracking
Mitigation or vendor reference
[email protected] - Technical Description, Third Party Advisory

Publicly disclosed via the referenced advisory and mailing list materials in 2016; the CVE record itself was published on 2017-01-18 and later modified on 2026-05-13.