WordPress Security Bulletin: WebPurify Profanity Filter Plugin Vulnerability (CVE-2026-0572)

Security Alert Summary

The WebPurify Profanity Filter plugin for WordPress contains a missing capability check in the webpurify_save_options function in all versions up to and including 4.0.2, which allows unauthenticated users to modify plugin settings. This can result in unauthorized changes to how the plugin filters or replaces content on affected sites.

CVE Details

• CVE ID: CVE-2026-0572
• Affected component: WebPurify Profanity Filter plugin for WordPress
• Affected versions: All versions up to, and including, 4.0.2
• Published: February 4, 2026 at 9:15:51 AM (UTC)
• Last modified: February 4, 2026 at 4:33:44 PM (UTC)
• CVSS v3.1: Base Score 6.5, Severity: MEDIUM
• Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
• Authentication / Privileges / User interaction: Authentication not required; Privileges Required: NONE; User Interaction: NONE
• Primary impacts: Integrity: LOW; Availability: LOW; Confidentiality: NONE
• CWE / weakness: CWE-862

Technical Details

The vulnerability stems from a missing capability check on the webpurify_save_options function. Because the function does not verify whether the caller has the necessary permissions, unauthenticated actors can invoke it to modify plugin settings. The CVE description indicates this affects all versions through 4.0.2.

By allowing unauthorized modification of plugin configuration, an attacker can change filtering behavior, replacement lists, or other operational options provided by the WebPurify plugin. The entry does not specify a REST API endpoint or additional named functions beyond webpurify_save_options, nor does it list a fixed/patched version.

How This Could Impact Your Website

In a realistic scenario, a site owner runs a WordPress site with internal staff who moderate content and an external contractor who helps with editorial tasks. If an unauthenticated attacker changes the WebPurify plugin settings, the profanity filter could be weakened or disabled, or replacement rules could be altered. This can allow offensive or unwanted content to appear on public pages, creating reputational risk and additional moderation workload for staff.

Changes to filtering behavior could also be used to display misleading content or links that increase the risk of targeted phishing or social engineering against site users or contributors, even though the CVE entry reports no direct confidentiality impact. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially contributor and author roles that grant content or settings privileges.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins from your site.
• Monitor site activity and plugin setting changes for unusual behavior or unexpected modifications.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/browser/webpurifytextreplace/trunk/webpurifytextreplace-options.php?rev=2343695#L92
• https://www.wordfence.com/threat-intel/vulnerabilities/id/9283f6ea-8bc4-4fdd-a0b9-05de127f34e4?source=cve