Primary

Context

Emailchef WordPress Plugin Missing Authorization Vulnerability in AJAX Disconnect Action

Vulnerability

A vulnerability exists in the Emailchef plugin for WordPress, allowing authenticated users with Subscriber-level access and above to delete plugin settings. This issue arises from a missing capability check in the 'page_options_ajax_disconnect()' function, affecting all versions through 3.5.1. Exploitation can be achieved by sending a request to the 'emailchef_disconnect' AJAX action, without the necessary authorization.

Impact

Exploitation of this vulnerability allows for arbitrary deletion of the Emailchef plugin's settings, which could disrupt the functionality of the plugin and potentially lead to loss of data associated with the plugin's configuration.

Remediation

Users are advised to update the Emailchef WordPress plugin to version 3.5.2 or later, where this vulnerability has been patched.

Added: Apr 22, 2026, 11:27 AM

Updated: Apr 22, 2026, 11:27 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

0.0

relevance

6.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

0.0

relevance

6.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Emailchef WordPress Plugin Missing Authorization Vulnerability in AJAX Disconnect Action

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating