Vulnerabilities and security researches forlocation-weather location-weather

May 24, 2026

CVE, Research URL: CVE-2026-7249
Home page URL: Security reports for Location Weather – Best Weather Forecast Widget Plugin for WordPress
Application: Location Weather – Best Weather Forecast Widget Plugin for WordPress
Date: May 22, 2026
Research Description: The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()` functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disable all weather blocks and purge all weather cache transients. The nonce required for these actions is exposed to all authenticated users via `wp_localize_script()` on the `init` hook.
Affected versions: max 3.0.3.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2023-0360
Home page URL: Security reports for Location Weather – Best Weather Forecast Widget Plugin for WordPress
Application: Location Weather – Best Weather Forecast Widget Plugin for WordPress
Date: Feb 13, 2023
Research Description: The Location Weather WordPress plugin before 1.3.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Affected versions: max 1.3.4.
Status: vulnerable