CVE-2026-2941
Published: 21 March 2026
Summary
CVE-2026-2941 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly addressing the missing capability check that allows unauthorized database modifications.
Requires identification, reporting, and correction of flaws like the missing capability check in the plugin, enabling timely patching to prevent exploitation.
Employs least privilege to restrict subscriber-level users from performing high-privilege actions such as database updates and role escalations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing capability check enables remote authenticated DB modification for role escalation (T1068) in a public-facing WordPress plugin (T1190); directly supports account role manipulation via wp_capabilities changes (T1098).
NVD Description
The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksy_search_and_replace_item_details' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers,…
more
with subscriber-level access and above, to update any database table, any value, including the wp_capabilities database field, which allows attackers to change their own role to administrator, which leads to privilege escalation.
Deeper analysisAI
CVE-2026-2941 is a vulnerability in the Linksy Search and Replace plugin for WordPress, affecting all versions up to and including 1.0.4. It stems from a missing capability check in the 'linksy_search_and_replace_item_details' function, enabling unauthorized modification of data (CWE-862). The issue has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for confidentially, integrity, and availability impacts.
Authenticated attackers with subscriber-level access or higher can exploit this vulnerability remotely without user interaction. By leveraging the flawed function, they can update any database table or value, such as modifying the wp_capabilities field to elevate their own role to administrator, resulting in full privilege escalation and potential site compromise.
Advisories from Wordfence provide threat intelligence on the vulnerability (https://www.wordfence.com/threat-intel/vulnerabilities/id/0bf117e2-9e59-4028-b77f-7fce2e7174f3?source=cve), while the plugin's source code confirms the missing check at line 197 in AjaxActions.php (https://plugins.trac.wordpress.org/browser/linksy-search-and-replace/tags/1.0.4/inc/Admin/Partials/SearchAndReplace/AjaxActions.php#L197). No specific patch details are outlined in the available references.
Details
- CWE(s)