CVE-2026-0572 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the WebPurify Profanity Filter plugin for WordPress, versions up to and including 4.0.2. The root cause is the absence of a capability check in the 'webpurify_save_options' function, which is responsible for saving plugin settings. This flaw allows unauthenticated attackers to invoke this function and modify the plugin's configuration without any authorization. Since the plugin controls profanity filtering on WordPress sites, unauthorized changes could disable or alter filtering rules, potentially allowing malicious content to bypass moderation or causing denial of service by misconfiguration. The vulnerability is remotely exploitable over the network without requiring any privileges or user interaction, increasing its risk profile. The CVSS v3.1 base score is 6.5, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, indicating no confidentiality impact but partial integrity and availability impacts. No patches or known exploits are currently reported, but the lack of authorization checks makes exploitation straightforward. The vulnerability affects all versions of the plugin up to 4.0.2, and the plugin is widely used in WordPress environments that require content moderation.

The primary impact of this vulnerability is unauthorized modification of plugin settings, which can undermine the integrity of content filtering on affected WordPress sites. Attackers could disable profanity filters or alter them to allow inappropriate or malicious content, potentially damaging brand reputation and user trust. Additionally, misconfiguration could lead to denial of service conditions if the plugin malfunctions or conflicts with other components. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely by any attacker scanning for vulnerable sites. This broadens the attack surface and increases the likelihood of exploitation. Organizations relying on WebPurify for content moderation, especially high-traffic websites, forums, or community platforms, may face increased risk of content abuse or service disruption. While confidentiality is not directly impacted, the integrity and availability of the filtering service are at risk, which can indirectly affect overall site security and compliance with content policies.

To mitigate this vulnerability, organizations should immediately update the WebPurify Profanity Filter plugin to a version that includes proper authorization checks once available. In the absence of an official patch, administrators can implement the following measures: 1) Restrict access to the WordPress admin interface and plugin endpoints via IP whitelisting or web application firewall (WAF) rules to block unauthorized requests targeting 'webpurify_save_options'. 2) Employ security plugins that monitor and alert on unauthorized changes to plugin settings or unusual POST requests. 3) Harden WordPress installations by enforcing strong authentication and limiting administrative privileges to trusted users only. 4) Conduct regular audits of plugin configurations to detect unauthorized modifications promptly. 5) Disable or remove the WebPurify plugin if content filtering is not critical or if alternative solutions are available until a secure version is released. These steps reduce the attack surface and help prevent exploitation while awaiting an official fix.