The vulnerability identified as CVE-2026-1944 affects the CallbackKiller service widget plugin for WordPress, specifically versions up to and including 1.2. The root cause is a missing authorization (capability) check in the cbk_save() function, which handles saving configuration data. This function is exposed via an AJAX action named 'cbk_save_v1', which can be invoked remotely without authentication or user interaction. As a result, an unauthenticated attacker can modify the plugin's site ID settings, effectively altering configuration parameters that should be protected. The vulnerability is classified under CWE-862 (Missing Authorization), indicating that the application fails to verify whether the user has permission to perform the requested action. The CVSS v3.1 base score is 5.3 (medium severity), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, meaning the attack is network-based, requires no privileges or user interaction, and impacts integrity but not confidentiality or availability. No patches or fixes have been published yet, and no known exploits are reported in the wild. The plugin is used within WordPress environments, which are widely deployed for websites and online services. This vulnerability could be leveraged to alter plugin settings, potentially enabling further malicious activity or disrupting normal operations. The lack of authentication checks is a critical design flaw that must be addressed to prevent unauthorized configuration changes.

For European organizations, the primary impact of this vulnerability is the unauthorized modification of plugin settings, which compromises the integrity of the affected WordPress sites. While it does not directly expose sensitive data or cause denial of service, the ability to alter site ID settings could be leveraged by attackers to facilitate further attacks, such as injecting malicious code, redirecting traffic, or bypassing security controls. Organizations relying on the CallbackKiller widget for critical customer interaction or service functionality may experience operational disruptions or reputational damage if attackers manipulate plugin configurations. Given the widespread use of WordPress across Europe, especially among SMEs and public sector websites, the vulnerability poses a moderate risk. Attackers do not require authentication or user interaction, increasing the likelihood of exploitation if the plugin is present and active. The absence of known exploits currently provides a window for proactive mitigation, but the risk remains significant due to the ease of exploitation and potential for chained attacks.

1. Immediately audit all WordPress sites for the presence of the CallbackKiller service widget plugin, particularly versions up to 1.2. 2. Disable or remove the plugin if it is not essential to reduce the attack surface. 3. If the plugin is required, implement custom authorization checks on the cbk_save() function to ensure only authorized users can invoke the 'cbk_save_v1' AJAX action. 4. Monitor web server and WordPress logs for unusual or repeated AJAX requests to 'cbk_save_v1' originating from unauthenticated sources. 5. Employ Web Application Firewalls (WAFs) with rules to detect and block unauthorized AJAX calls targeting this plugin endpoint. 6. Stay alert for official patches or updates from the vendor and apply them promptly once available. 7. Educate site administrators on the risks of unauthorized plugin modifications and enforce strict access controls on WordPress admin interfaces. 8. Consider implementing integrity monitoring solutions to detect unauthorized changes to plugin settings or files. 9. Regularly back up WordPress configurations and site data to enable quick restoration in case of compromise.