CVE-2026-13250 in Starter Template featureinfo

Summary

by MITRE • 07/11/2026

The Solace Extra plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.5.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete all content previously imported via the Starter Template feature, including posts, pages, media attachments, WooCommerce products, taxonomy terms, and sitebuilder templates. The required nonce is emitted on every wp-admin page via wp_localize_script() hooked to admin_enqueue_scripts without a page guard, meaning any Subscriber visiting /wp-admin/profile.php can obtain it; the handler is additionally registered via wp_ajax_nopriv_, making it reachable by fully unauthenticated users as well.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/11/2026

The Solace Extra plugin for WordPress presents a critical authorization bypass vulnerability that affects all versions up to and including 1.5.3, creating a severe security risk for affected installations. This vulnerability stems from inadequate user authorization verification mechanisms within the plugin's codebase, specifically targeting the Starter Template feature functionality. The flaw allows unauthenticated attackers to execute destructive actions against imported content, including posts, pages, media attachments, WooCommerce products, taxonomy terms, and sitebuilder templates, effectively enabling complete content deletion without proper authentication.

The technical implementation of this vulnerability occurs through improper nonce handling within the WordPress admin environment. The plugin emits required nonces on every wp-admin page using wp_localize_script() function that is hooked to admin_enqueue_scripts hook without any page-specific guards or access controls. This design flaw means that any user with subscriber-level privileges can access the nonce value by simply visiting /wp-admin/profile.php, which serves as an unintended exposure vector for authentication tokens. The vulnerability extends beyond simple privilege escalation because the handler is additionally registered via wp_ajax_nopriv_ hook, which explicitly allows unauthenticated users to access the endpoint entirely.

The operational impact of this vulnerability represents a significant threat to WordPress site integrity and data security, particularly affecting e-commerce sites utilizing WooCommerce products and content management systems relying on starter templates. Attackers can leverage this flaw to permanently delete critical website content, potentially causing complete site destruction or requiring extensive recovery procedures. The vulnerability's exploitation requires minimal privileges and no authentication, making it particularly dangerous as it can be triggered by any visitor with access to the WordPress admin area.

This vulnerability aligns with CWE-863 (Authorization Bypass) and represents a classic example of improper access control implementation in web applications. From an ATT&CK framework perspective, this issue maps to T1078 (Valid Accounts) and T1485 (Data Destruction) techniques, as it allows unauthorized modification of system resources through legitimate administrative interfaces. Organizations should immediately implement mitigations including plugin version updates to the latest secure release, implementing additional access controls for wp-admin endpoints, and monitoring for unauthorized content modifications. The remediation process requires urgent patching of the Solace Extra plugin to version 1.5.4 or later, along with comprehensive security reviews of other plugins that may exhibit similar nonce handling patterns.

Responsible

Wordfence

Reservation

06/24/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!