Attack Vectors

CVE-2026-0572 is a Medium severity vulnerability (CVSS 6.5) affecting the WebPurify Profanity Filter WordPress plugin (slug: webpurifytextreplace) in versions 4.0.2 and earlier. The issue allows an unauthenticated attacker to change plugin settings over the network without needing a user account or any user interaction.

From a business-risk perspective, this kind of exposure matters because it can be exploited quietly. If the plugin is installed and exposed, an attacker may attempt to alter profanity filtering or related configuration settings to disrupt normal site operations, degrade the customer experience, or create moderation and brand-safety issues.

Security Weakness

The root cause is a missing authorization (capability) check in the plugin function webpurify_save_options. In practical terms, the plugin does not sufficiently verify that a request to change settings is coming from a legitimate, authorized WordPress administrator (or other approved role).

Because this check is missing, the plugin’s settings-change functionality can be reached by someone who is not logged in. The vulnerability is limited to unauthorized modification of plugin settings (not a confirmed data breach), but it still represents a meaningful control failure for teams responsible for compliance, brand safety, and operational reliability.

Technical or Business Impacts

The most direct impact is loss of integrity and availability for the affected plugin’s configuration (aligned with the CVSS vector indicating low integrity and low availability impact). For marketing leaders and executives, this can translate into measurable business risk: brand-damaging content slipping through moderation controls, inconsistent customer experiences, increased support burden, and potential disruption to campaigns that rely on user-generated content or automated filtering.

For compliance and risk stakeholders, unauthorized settings changes can complicate auditability and policy enforcement. Even if no sensitive data is exposed, the ability for an outside party to alter operational controls is a governance concern—especially on high-visibility pages or regulated workflows.

Remediation: Update WebPurify Profanity Filter to version 4.0.3 or a newer patched version. Track the CVE record here: https://www.cve.org/CVERecord?id=CVE-2026-0572. Reference source: Wordfence vulnerability intelligence.

Similar Attacks

Unauthenticated or weakly protected WordPress plugin endpoints have been repeatedly used to change settings, create disruptive site behavior, or open the door to additional abuse. A few well-documented examples include:

Yellow Pencil Visual Theme Customizer (actively exploited; Wordfence report)
Elementor (high-impact vulnerability discussion; Wordfence report)
ThemeGrill Demo Importer (critical plugin vulnerabilities; Wordfence report)