CVE-2026-4280 Overview
The Breaking News WP plugin for WordPress contains a Local File Inclusion (LFI) vulnerability affecting all versions up to and including 1.3. This vulnerability exists in the brnwp_ajax_form AJAX endpoint, which lacks both authorization checks and CSRF verification. Combined with insufficient path validation when the brnwp_theme option value is passed directly to an include() statement in the brnwp_show_breaking_news_wp() shortcode handler, authenticated attackers with Subscriber-level access can achieve arbitrary file inclusion on the server.
Critical Impact
Authenticated attackers with minimal privileges (Subscriber-level) can read sensitive files on the server, including configuration files containing database credentials and other sensitive information, potentially leading to full site compromise.
Affected Products
- Breaking News WP plugin for WordPress versions up to and including 1.3
- WordPress installations with Breaking News WP plugin active
- All server configurations where the plugin is deployed without additional access controls
Discovery Timeline
- 2026-04-22 - CVE-2026-4280 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-4280
Vulnerability Analysis
This vulnerability combines multiple security weaknesses to enable Local File Inclusion. The brnwp_ajax_form AJAX endpoint permits authenticated users with Subscriber-level access to modify the brnwp_theme plugin option without proper authorization checks. While the plugin applies sanitize_text_field() to user input, this sanitization function does not strip directory traversal sequences (../), allowing attackers to inject path traversal payloads.
When the brnwp_show_breaking_news_wp() shortcode is subsequently rendered, the unsanitized brnwp_theme option value is passed directly to a PHP include() statement, enabling arbitrary file inclusion. This allows attackers to read sensitive system files such as /etc/passwd or WordPress configuration files containing database credentials.
Root Cause
The root cause is a combination of missing security controls: the AJAX endpoint lacks proper capability checks and CSRF token verification, while the file inclusion logic uses inadequate path validation. The sanitize_text_field() function is designed for sanitizing text output rather than file path validation, making it ineffective at preventing directory traversal attacks. Proper implementation would require explicit path validation using functions like realpath() with directory boundary checks, combined with proper authorization and nonce verification on the AJAX endpoint.
Attack Vector
The attack is carried out over the network and requires authentication with at least Subscriber-level privileges. An attacker first sends a malicious AJAX request to the brnwp_ajax_form endpoint, overwriting the brnwp_theme option with a directory traversal payload (e.g., ../../../../etc/passwd). When any visitor loads a page containing the Breaking News WP shortcode, the malicious path is included via PHP's include() function, exposing the contents of the targeted file.
The vulnerability code can be examined in the Breaking News WP plugin source at line 366, line 372, and line 85 where the unsafe option handling and file inclusion occur. For detailed technical analysis, refer to the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-4280
Indicators of Compromise
- Unexpected changes to the brnwp_theme WordPress option containing directory traversal sequences (../)
- AJAX requests to admin-ajax.php with action brnwp_ajax_form from Subscriber-level accounts
- Web server logs showing access patterns with directory traversal payloads targeting the plugin
- Unusual file access patterns in system logs indicating reads of /etc/passwd or wp-config.php
Detection Strategies
- Monitor WordPress options table for modifications to brnwp_theme containing path traversal patterns
- Implement Web Application Firewall (WAF) rules to detect and block directory traversal sequences in AJAX requests
- Review PHP error logs for file inclusion warnings referencing paths outside the plugin directory
- Audit user activity logs for Subscriber-level accounts making administrative option changes
Monitoring Recommendations
- Enable comprehensive logging on admin-ajax.php requests, particularly those targeting Breaking News WP actions
- Configure file integrity monitoring on sensitive system and WordPress configuration files
- Set up alerts for failed file inclusion attempts or unexpected file access patterns
- Monitor for new user account registrations followed by immediate AJAX activity
How to Mitigate CVE-2026-4280
Immediate Actions Required
- Deactivate and remove the Breaking News WP plugin until a patched version is released
- Audit WordPress user accounts and remove unnecessary Subscriber-level access
- Review the brnwp_theme option in the WordPress database for any malicious values
- Check server logs for signs of exploitation and rotate credentials if compromise is suspected
Patch Information
No official patch has been released at this time. Users should check the WordPress plugin repository for updates beyond version 1.3. Monitor the WordPress Plugin Trunk for any security fixes applied to the vulnerable code paths.
Workarounds
- Remove or disable the Breaking News WP plugin until an official fix is available
- Implement server-level restrictions using open_basedir PHP directive to limit file inclusion scope
- Deploy WAF rules to block requests containing directory traversal sequences to the affected AJAX endpoint
- Restrict the WordPress REST API and AJAX endpoints to authenticated administrators only
# Apache .htaccess example to block directory traversal in AJAX requests
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./) [NC,OR]
RewriteCond %{QUERY_STRING} (brnwp_ajax_form) [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
