CVE-2026-1944 Overview
The CallbackKiller service widget plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the cbk_save() function. This vulnerability affects all versions up to and including version 1.2, enabling unauthenticated attackers to modify the plugin's site ID settings through the cbk_save_v1 AJAX action without proper capability verification.
Critical Impact
Unauthenticated attackers can modify plugin settings, potentially redirecting callback widget functionality or disrupting service integration for affected WordPress sites.
Affected Products
- CallbackKiller Service Widget for WordPress versions up to and including 1.2
Discovery Timeline
- February 14, 2026 - CVE-2026-1944 published to NVD
- February 18, 2026 - Last updated in NVD database
Technical Details for CVE-2026-1944
Vulnerability Analysis
This vulnerability stems from a missing capability check (authorization bypass) in the WordPress plugin's AJAX handler. The cbk_save() function, which handles the cbk_save_v1 AJAX action, fails to verify whether the requesting user has appropriate permissions before processing setting modifications. WordPress plugins should implement capability checks using functions like current_user_can() to ensure only authorized administrators can modify plugin configurations.
The vulnerability is exploitable over the network without requiring authentication or user interaction. While the confidentiality impact is none and availability remains unaffected, the integrity impact allows unauthorized modification of the plugin's site ID configuration. This type of missing authorization flaw is commonly exploited to hijack widget functionality or inject attacker-controlled service identifiers.
Root Cause
The root cause is the absence of proper authorization checks in the cbk_save() function. The AJAX handler processes requests registered with the wp_ajax_nopriv_cbk_save_v1 action hook, which explicitly allows unauthenticated users to trigger the function. Without a corresponding capability check, any visitor to the WordPress site can invoke this endpoint and modify plugin settings.
The vulnerable code can be reviewed in the WordPress Plugin Trac repository at line 133 and line 34.
Attack Vector
An attacker can exploit this vulnerability remotely by sending a crafted HTTP POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the action parameter set to cbk_save_v1. The attack requires no authentication, no special privileges, and no user interaction, making it trivially exploitable once a target using the vulnerable plugin is identified.
The attack modifies the site ID settings within the CallbackKiller widget configuration, which could allow attackers to redirect callback requests to attacker-controlled services or disrupt legitimate callback functionality for the affected website.
Detection Methods for CVE-2026-1944
Indicators of Compromise
- Unexpected modifications to CallbackKiller plugin settings in the WordPress database options table
- HTTP POST requests to /wp-admin/admin-ajax.php with action=cbk_save_v1 from unauthenticated sources
- Changes to the site ID configuration that do not correspond to administrator activity
- Web server access logs showing repeated AJAX requests to the vulnerable endpoint from external IP addresses
Detection Strategies
- Monitor WordPress AJAX endpoints for unauthenticated requests targeting cbk_save_v1 action
- Implement Web Application Firewall (WAF) rules to detect and block suspicious parameter patterns in AJAX requests
- Review database change logs for unauthorized modifications to CallbackKiller widget options
- Configure file integrity monitoring for the CallbackKiller plugin directory
Monitoring Recommendations
- Enable verbose logging for WordPress AJAX actions in development/staging environments
- Set up alerting for changes to plugin configuration options outside of normal administrative sessions
- Monitor HTTP traffic patterns for automated exploitation attempts targeting WordPress AJAX endpoints
- Regularly audit installed WordPress plugins against vulnerability databases like Wordfence
How to Mitigate CVE-2026-1944
Immediate Actions Required
- Update the CallbackKiller Service Widget plugin to a patched version if available
- Temporarily deactivate and remove the CallbackKiller Service Widget plugin if no patch is available
- Review current plugin settings and restore legitimate site ID configuration if tampering is suspected
- Implement WAF rules to block unauthenticated requests to the vulnerable AJAX action
Patch Information
Consult the Wordfence Vulnerability Report for the latest patch status and remediation guidance. Monitor the WordPress plugin repository for an updated version that addresses this missing capability check.
Workarounds
- Deactivate the CallbackKiller Service Widget plugin until a patched version is available
- Implement server-level access controls to restrict access to /wp-admin/admin-ajax.php for unauthenticated users (may impact other plugin functionality)
- Deploy a Web Application Firewall rule to block POST requests containing action=cbk_save_v1 from unauthenticated sessions
- Consider using a security plugin like Wordfence to monitor and block exploitation attempts
# Example .htaccess rule to restrict AJAX access (use with caution)
# This may affect legitimate plugin functionality
<Files admin-ajax.php>
<RequireAll>
Require all granted
# Block specific vulnerable action for unauthenticated users
# Note: Implement WAF-level protection for more granular control
</RequireAll>
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
