Attack Vectors

The CallbackKiller service widget plugin (slug: callbackkiller-service-widget) is reported as Medium severity (CVSS 5.3) and affects all versions up to and including 1.2. The issue involves a WordPress AJAX endpoint tied to the cbk_save_v1 action, which can be reached over the network without requiring a logged-in user.

In practical terms, an unauthenticated attacker may be able to send crafted requests that trigger the plugin’s settings save behavior, resulting in unauthorized changes to the plugin’s site ID configuration.

Security Weakness

CVE-2026-1944 is described as a missing authorization (capability) check in the plugin’s cbk_save() function. When a capability check is missing, WordPress cannot reliably enforce that only approved users (such as administrators) can change settings.

This weakness is categorized as an “unauthenticated arbitrary plugin settings update” risk: attackers don’t need credentials, and they can modify a specific configuration value (the plugin’s site ID) via the exposed AJAX action.

Technical or Business Impacts

While this vulnerability is not described as enabling data theft or site downtime (the CVSS vector indicates no confidentiality or availability impact), it does allow unauthorized changes to a business-relevant setting. For marketing, operations, and compliance teams, unauthorized configuration changes can translate into brand, analytics, and customer-experience risks.

Potential impacts include misrouting or disruption of lead-capture workflows that rely on the CallbackKiller service widget, inconsistent campaign attribution, and unapproved changes that complicate incident response and auditability. Even “low integrity” changes can create real business friction when they alter how customer communications and conversion paths function.

Recommended response: There is no known patch available. Based on your organization’s risk tolerance, consider uninstalling CallbackKiller service widget and replacing it with an alternative. If removal is not immediately feasible, prioritize compensating controls such as limiting exposure of WordPress AJAX endpoints where possible, tightening access controls around the site, and increasing monitoring for unexpected configuration changes.

Similar Attacks

Unauthorized settings changes via exposed endpoints are a common theme in WordPress security incidents. For context, here are a few real examples of plugin-related vulnerabilities that attackers have leveraged broadly:

Elementor Pro vulnerability (Wordfence analysis)

All in One SEO Pack vulnerabilities (Wordfence analysis)

Essential Addons for Elementor vulnerability (Wordfence analysis)