Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
CallbackKiller Plugin Allows Unauthorized Site Settings Changes
CVE-2026-1944
Summary
The CallbackKiller plugin for WordPress can be exploited by attackers to change site settings without permission. This is because the plugin's security check was overlooked in earlier versions, making it vulnerable. To fix this, update the plugin to a version newer than 1.2 to ensure site settings are only changed by authorized users.
Original title
The CallbackKiller service widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cbk_save() function in all versions up to, and inc...
Original description
The CallbackKiller service widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cbk_save() function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to modify the plugin's site ID settings via the 'cbk_save_v1' AJAX action.
nvd CVSS3.1
5.3
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/callbackkiller-service-widget/tags/1....
- https://plugins.trac.wordpress.org/browser/callbackkiller-service-widget/tags/1....
- https://plugins.trac.wordpress.org/browser/callbackkiller-service-widget/trunk/c...
- https://plugins.trac.wordpress.org/browser/callbackkiller-service-widget/trunk/c...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/98a7572d-9642-4150-811...
Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026