The vulnerability identified as CVE-2026-1944 affects the CallbackKiller service widget plugin for WordPress, specifically all versions up to and including 1.2. The root cause is a missing authorization check (CWE-862) in the cbk_save() function, which handles saving plugin settings. This function is exposed via the 'cbk_save_v1' AJAX action, which does not verify whether the requester has the necessary permissions to modify the plugin's site ID settings. As a result, an unauthenticated attacker can send crafted AJAX requests to alter these settings arbitrarily. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting its medium severity due to the lack of confidentiality or availability impact but a clear integrity impact. The attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N). The scope remains unchanged (S:U), meaning the vulnerability affects only the vulnerable component. No patches are currently linked, and no exploits have been observed in the wild. The vulnerability could be leveraged as a foothold for further attacks if attackers manipulate plugin settings to inject malicious code or disrupt service.

This vulnerability primarily impacts the integrity of the CallbackKiller plugin's configuration data. Unauthorized modification of the site ID settings could allow attackers to redirect callbacks, manipulate plugin behavior, or potentially facilitate further exploitation such as injecting malicious payloads or disrupting legitimate plugin operations. While it does not directly compromise confidentiality or availability, the integrity breach can undermine trust in the affected WordPress site and may serve as a stepping stone for more severe attacks. Organizations relying on this plugin for critical communication or service functions may experience operational disruptions or reputational damage if exploited. Given the unauthenticated nature of the vulnerability, any internet-facing WordPress site with this plugin is exposed to risk, increasing the attack surface significantly.

Until an official patch is released, organizations should implement the following mitigations: 1) Restrict access to the AJAX endpoint handling 'cbk_save_v1' by configuring web application firewalls (WAFs) or server rules to allow only trusted IP addresses or authenticated users. 2) Disable or remove the CallbackKiller service widget plugin if it is not essential to reduce exposure. 3) Monitor web server logs for suspicious AJAX requests targeting 'cbk_save_v1' to detect potential exploitation attempts. 4) Implement custom authorization checks by modifying the plugin code to enforce capability checks on the cbk_save() function, ensuring only authorized users can modify settings. 5) Keep WordPress core and all plugins updated and subscribe to vendor advisories for prompt patch application once available. 6) Conduct regular security audits and penetration tests focusing on plugin vulnerabilities and AJAX endpoints.