CVE-2026-30701

CVE-2026-30701 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) in the web interface of the WiFi Extender WDR201A, specifically hardware version 2.1 running firmware LFMZX28040922V1.02. The flaw stems from hardcoded credential disclosure mechanisms implemented via Server Side Includes (SSI) in multiple server-side web pages, such as login.shtml and settings.shtml. These pages contain embedded server-side execution directives that dynamically retrieve and expose the web administration password stored in non-volatile memory at runtime, classified under CWE-798 (Use of Hard-coded Credentials).

Remote attackers with network access to the device can exploit this vulnerability without authentication, privileges, or user interaction by simply requesting the affected web pages. Successful exploitation allows retrieval of the plaintext web administration password, enabling full unauthorized access to the device's administrative interface. The high confidentiality impact reflects credential exposure, while the high availability impact may relate to potential disruptions from the SSI execution or follow-on administrative access.

Advisories reference a security research disclosure on mstreet97.github.io detailing this and other CVEs in the device, stemming from blackbox analysis of the consumer WiFi extender. A manufacturer page for Yeapook (Shenzhen-based producer established in 2015) is also linked, but no official patches, mitigations, or vendor responses are specified in available references. Security practitioners should isolate affected devices, monitor for unauthorized admin access, and pursue firmware updates if released.