CVE-2026-7249 is a missing authorization vulnerability (CWE-862) in the shapedplugin Location Weather WordPress plugin, affecting all versions up to 3.0.2. The issue arises because the functions `splw_update_block_options()` and `lwp_clean_weather_transients()` lack proper capability checks, allowing authenticated users with Contributor-level privileges or higher to modify plugin data unauthorizedly. The nonce protecting these actions is exposed to all authenticated users via `wp_localize_script()` on the `init` hook, enabling exploitation without additional user interaction. This can lead to disabling weather blocks and purging weather cache transients. The CVSS 3.1 base score is 4.3 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality or availability impact, and limited integrity impact. No vendor advisory or patch information is currently available.

An attacker with Contributor-level or higher access can disable all weather blocks and purge weather cache transients in the Location Weather plugin without proper authorization. This results in unauthorized modification of plugin data, impacting the integrity of weather-related content displayed on the WordPress site. There is no direct impact on confidentiality or availability reported. The vulnerability does not require user interaction and can be exploited remotely over the network.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Contributor-level access to trusted users only and monitor plugin updates from shapedplugin for a security patch. Avoid granting Contributor or higher privileges to untrusted users to reduce risk.