We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

EmergencyWP – Dead Man’s switch & legacy deliverance Plugin Vulnerability (CVE-2026-9732)

Nick Paliughi
On this page

Security Alert Summary

The EmergencyWP – Dead Man’s switch & legacy deliverance plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 1.4.2. Missing or incorrect nonce validation in the plugin’s settings save handler allows an attacker who can trick an administrator into clicking a crafted link to modify plugin settings, including role-related capabilities and data-erasure flags, via a forged request.

CVE Details

  • CVE ID: CVE-2026-9732
  • Affected component: EmergencyWP – Dead Man’s switch & legacy deliverance plugin for WordPress
  • Affected versions: All versions up to and including 1.4.2
  • Published: June 3, 2026 at 12:16:45 AM
  • Last modified: June 3, 2026 at 12:16:45 AM
  • CVSS v3.1: Base Score 4.3 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
  • Authentication / Privileges / User interaction: No privileges required (PR:N); attacker must trick a user into taking an action (UI:R)
  • Primary impact: Confidentiality: None; Integrity: Low; Availability: None
  • Weakness: CWE-352 (Cross-Site Request Forgery)

Technical Details

The vulnerability is a Cross-Site Request Forgery (CWE-352) in the plugin’s settings save handler. The issue is caused by missing or incorrect nonce validation on the form_settings_ui function (described as the settings save handler in a procedural include scope). Because the handler does not properly verify a valid nonce, an attacker can construct a request that, if an administrator is tricked into triggering it, will be accepted by the plugin and applied to its settings.

The vulnerability allows modification of multiple plugin settings via a forged request. The description specifically lists changes including the minimum access role (which can alter WordPress role capabilities using add_cap/remove_cap), the data-erasure-on-uninstall flag, life-check timing values, the mandator email address, the confirmation page ID, and date/time formats. The impact is limited to those settings and related integrity changes; there is no confidentiality or availability impact specified in the provided data.

How This Could Impact Your Website

In a realistic scenario, an attacker could craft a link or page that triggers a forged settings request. If a site administrator (site owner or an internal staff member with administrative privileges) clicks the link while authenticated, the attacker could change EmergencyWP settings. Possible practical consequences include:

  • Alteration of the minimum access role and modification of role capabilities, which could enable privilege changes for users managed by the plugin.
  • Modification of the mandator email address or confirmation page, which could redirect plugin notifications or change workflows used by internal staff or external contractors.
  • Changes to data-erasure-on-uninstall behavior and life-check timings, affecting how and when user data or plugin data are handled.

These changes can increase the risk of targeted phishing or social engineering by exposing or redirecting administrative communications and by changing role capabilities that affect how users interact with the site. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and capabilities, especially for contributor and editor accounts.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and logs for unusual behavior, especially changes to plugin settings or role capabilities.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Content Visibility for Divi Builder Plugin Vulnerability (CVE-2026-1829)