CVE-2026-0572 Overview
The WebPurify Profanity Filter plugin for WordPress contains a broken access control vulnerability that allows unauthorized modification of plugin settings. The flaw exists due to a missing capability check on the webpurify_save_options function in all versions up to and including 4.0.2. This security gap enables unauthenticated attackers to alter plugin configurations without requiring any authentication or authorization.
Critical Impact
Unauthenticated attackers can modify WebPurify plugin settings, potentially disabling content filtering protections or redirecting API calls to attacker-controlled endpoints, compromising site content moderation capabilities.
Affected Products
- WebPurify Profanity Filter plugin for WordPress versions up to and including 4.0.2
- WordPress installations using the vulnerable WebPurify Profanity Filter plugin
Discovery Timeline
- 2026-02-04 - CVE-2026-0572 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-0572
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization), representing a broken access control flaw in the WordPress plugin architecture. The webpurify_save_options function fails to implement proper capability checks before processing configuration changes. In WordPress plugin development, functions that modify settings should verify that the requesting user has appropriate administrative privileges using functions like current_user_can(). The absence of this validation allows any remote user, including unauthenticated visitors, to submit requests that modify the plugin's operational parameters.
The vulnerability can be exploited over the network without requiring any user interaction or prior authentication. An attacker could manipulate the plugin settings to disable profanity filtering entirely, modify API endpoints, or alter filter word lists, effectively compromising the content moderation system the plugin provides.
Root Cause
The root cause of CVE-2026-0572 is the missing authorization check in the webpurify_save_options function located in the webpurifytextreplace-options.php file. WordPress plugins must explicitly verify user capabilities before executing privileged operations. This function processes settings updates without validating whether the requesting user has the manage_options capability or any other administrative privilege, creating an authorization bypass condition.
Attack Vector
The attack vector for this vulnerability is network-based, allowing remote exploitation. An attacker can craft HTTP requests directly to the vulnerable endpoint, bypassing the WordPress admin interface entirely. The attack requires no authentication credentials, no special privileges, and no user interaction, making it highly accessible to opportunistic attackers.
The exploitation process involves:
- Identifying a WordPress site running the vulnerable WebPurify Profanity Filter plugin
- Crafting a direct HTTP POST request to the options-saving endpoint
- Submitting arbitrary configuration values without authentication
- The plugin processes and saves the malicious settings
For technical details on the vulnerable code, see the WordPress Plugin Code Review in the WordPress Plugin Directory.
Detection Methods for CVE-2026-0572
Indicators of Compromise
- Unexpected changes to WebPurify Profanity Filter plugin settings
- Modified API endpoint configurations pointing to unknown or malicious domains
- Disabled or altered profanity filter word lists
- Unusual HTTP POST requests to plugin options endpoints from unauthenticated sessions
Detection Strategies
- Monitor WordPress option tables for unauthorized changes to webpurify_* configuration values
- Review web server access logs for POST requests to WebPurify plugin endpoints from non-authenticated sessions
- Implement file integrity monitoring on plugin configuration files
- Use WordPress security plugins that alert on options table modifications
Monitoring Recommendations
- Enable detailed logging for all WordPress admin-ajax and options update requests
- Configure alerts for plugin settings changes outside of normal administrative hours
- Implement network-level monitoring for unusual request patterns targeting WordPress plugin endpoints
- Regularly audit plugin configurations against known-good baselines
How to Mitigate CVE-2026-0572
Immediate Actions Required
- Update the WebPurify Profanity Filter plugin to a patched version if available
- Temporarily deactivate the plugin if no patch is available and content filtering is not critical
- Review and restore plugin settings to verified configurations
- Implement web application firewall (WAF) rules to block unauthorized requests to the vulnerable endpoint
Patch Information
Users should check for updates to the WebPurify Profanity Filter plugin through the WordPress admin dashboard or the WordPress Plugin Directory. For detailed vulnerability information and remediation guidance, refer to the Wordfence Vulnerability Report.
Workarounds
- Restrict access to WordPress admin endpoints using .htaccess rules or server-level access controls
- Implement IP whitelisting for administrative functions if updating is not immediately possible
- Use a security plugin with virtual patching capabilities to add capability checks at the application layer
- Consider temporarily removing the plugin until an official patch is released
# Example .htaccess restriction for plugin endpoint
<FilesMatch "webpurifytextreplace-options\.php$">
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
