CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-13250

mediumCVSS 5.3covered by 1 sourcefirst seen 2026-07-11
The Solace Extra plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.5.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete all content previously imported via the Starter Template feature, including posts, pages, media attachments, WooCommerce products, taxonomy terms, and sitebuilder templates. The required nonce is emitted on every wp-admin page via wp_localize_script() hooked to admin_enqueue_scripts without a page guard, meaning any Subscriber visiting /wp-admin/profile.php can obtain it; the handler is additionally registered via wp_ajax_nopriv_, making it reachable by fully unauthenticated users as well.

⚡ Watch CVE-2026-13250

Get an email if CVE-2026-13250 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-13250

CVE.org record

Embed the live status

CVE-2026-13250 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-13250 status](https://www.csirts.com/badge/CVE-2026-13250)](https://www.csirts.com/cve/CVE-2026-13250)