{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1930", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T20:54:31.865Z", "datePublished": "2026-04-22T09:27:19.900Z", "dateUpdated": "2026-04-22T09:27:19.900Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T09:27:19.900Z"}, "affected": [{"vendor": "hanicker", "product": "Emailchef", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the page_options_ajax_disconnect() function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's settings via the 'emailchef_disconnect' AJAX action."}], "title": "Emailchef <= 3.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ae02595-17f0-472d-bc4f-6169cce7a583?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/emailchef/trunk/admin/class-emailchef-admin.php#L121"}, {"url": "https://plugins.trac.wordpress.org/browser/emailchef/tags/3.5.1/admin/class-emailchef-admin.php#L121"}, {"url": "https://plugins.trac.wordpress.org/browser/emailchef/trunk/admin/class-emailchef-admin.php#L200"}, {"url": "https://plugins.trac.wordpress.org/browser/emailchef/tags/3.5.1/admin/class-emailchef-admin.php#L200"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3474353%40emailchef&new=3474353%40emailchef&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2026-04-21T20:35:30.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the page_options_ajax_disconnect() function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's settings via the 'emailchef_disconnect' AJAX action."}], "id": "CVE-2026-1930", "lastModified": "2026-04-22T10:16:51.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T10:16:51.000", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/emailchef/tags/3.5.1/admin/class-emailchef-admin.php#L121"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/emailchef/tags/3.5.1/admin/class-emailchef-admin.php#L200"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/emailchef/trunk/admin/class-emailchef-admin.php#L121"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/emailchef/trunk/admin/class-emailchef-admin.php#L200"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3474353%40emailchef&new=3474353%40emailchef&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ae02595-17f0-472d-bc4f-6169cce7a583?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T10:51:32.243929+00:00", "value": {"mitigation_remediation": ["Upgrade the Emailchef plugin to a version newer than 3.5.1 where the missing capability check has been restored.", "If an update is not immediately possible, temporarily remove or deactivate the Emailchef plugin until a patch can be applied.", "Review and tighten user role capabilities so that Subscriber or lower users cannot access AJAX endpoints that modify plugin settings; consider revoking emailchef_disconnect access from these roles.", "Apply site\u2011wide security monitoring to detect unexpected AJAX traffic targeting Emailchef and investigate any anomalies promptly."], "summary": {"action": "Update Plugin", "impact": "Arbitrary plugin settings deletion by authenticated users"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the Emailchef plugin from the earliest version through 3.5.1 released by the vendor hanicker:Emailchef. Systems running any of these versions on WordPress are exposed unless the plugin is removed or updated to a version later than 3.5.1.", "description_and_impact": "The Emailchef WordPress plugin contains a missing capability check in the page_options_ajax_disconnect() routine. As a result, any authenticated user with Subscriber level permissions or higher can invoke the emailchef_disconnect AJAX action and delete the plugin\u2019s configuration data, which may break email functionality and cause service disruption. This flaw is a classic authorization bypass, classified as CWE-862, and it does not allow exploitation to execute arbitrary code or gain higher privileges. The primary impact is loss of configuration integrity and potential downtime for sites relying on Emailchef for email handling.", "risk_and_exploitability": "The CVSS score for this issue is 4.3, placing it in the medium range. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need an authenticated session and Subscriber or higher access, which is relatively common in many WordPress sites. While the vulnerability does not provide direct code execution, deletion of configuration may lead to service disruption. Given the available attack vector, administrators should treat this issue as a priority to prevent service disruption."}}}}, "created": "2026-04-22T11:00:09.088610+00:00", "updated": "2026-04-22T11:00:09.088620+00:00", "vendors": []}