Home / Vulnerability Intelligence / CVE-2026-2941

CVE-2026-2941 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 23, 2026

Linksy Search and Replace - Broken Access Control

Published: March 21, 2026Updated: March 23, 2026Remote Exploitable

Overview

Linksy Search and Replace WordPress plugin <= 1.0.4 contains a broken access control vulnerability caused by missing capability check in 'linksy_search_and_replace_item_details' function, letting authenticated attackers with subscriber-level access modify any database value, including wp_capabilities, leading to privilege escalation.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 3.9%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can escalate privileges to administrator by modifying database values, compromising site security.

Mitigation

Update to the latest version beyond 1.0.4.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 21, 2026

🟠 CVE-2026-2941 - High (8.8) The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksy_search_and_replace_item_details' function in all versions up to, and including, 1.0.4. This make... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-2941/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-2941
Severity: High
CVSS Score: 8.8
Type: broken_access_control
Status: unconfirmed
EPSS: 3.9%
Social Posts: 1

CWE

CWE-862

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

3.9%Probability of exploitation in the next 30 days