CVE-2026-4280 Breaking News WP <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Local File Inclusion/Read

The Breaking News WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3. This is due to the brnwpajaxform AJAX endpoint lacking both authorization checks and CSRF verification, combined with insufficient path validation when the brnwptheme option...