Description
Missing Authorization vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9.
Published: 2026-01-22
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Sensitive Data
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a CWE‑862 Missing Authorization flaw within the Hospital Doctor Directory plugin. The plugin lacks proper access control checks, allowing an unauthenticated or minimally privileged user to invoke functions normally reserved for administrators. As a result, attackers could read, modify, or delete doctor profile data, compromising confidentiality, integrity and potentially availability if the functionality is abused widely.

Affected Systems

The affected software is the Hospital Doctor Directory plugin developed by e‑plugins. Any installation running version 1.3.9 or older is vulnerable. The plugin is used within WordPress sites to manage doctor directory entries.

Risk and Exploitability

With a CVSS score of 7.6 the vulnerability is considered high severity. The EPSS score of less than 1% indicates a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the web interface of the WordPress site; an attacker can send crafted requests to the plugin’s endpoints to gain unauthorized access. No authentication is required, as the flaw stems from missing access control checks. If an adversary can reach the site, the exploitation is straightforward, but the overall risk is tempered by the low exploitation probability.

Generated by OpenCVE AI on April 28, 2026 at 09:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑published patch that addresses the CWE‑862 Missing Authorization issue, ensuring the missing access control checks are removed.
  • Restrict the plugin’s functionality so that only administrators have access, adjusting user roles accordingly.
  • If the plugin is not essential, consider removing or disabling it from the site.

Generated by OpenCVE AI on April 28, 2026 at 09:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}

Wed, 28 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared E-plugins
E-plugins hospital & Doctor Directory
Wordpress
Wordpress wordpress
Vendors & Products E-plugins
E-plugins hospital & Doctor Directory
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9.
Title WordPress Hospital Doctor Directory plugin <= 1.3.9 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

E-plugins Hospital & Doctor Directory
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:27.857Z

Reserved: 2025-12-15T10:01:11.955Z

Link: CVE-2025-68057

cve-icon Vulnrichment

Updated: 2026-01-28T17:02:12.663Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:09.623

Modified: 2026-04-27T19:16:23.920

Link: CVE-2025-68057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:00:06Z

Weaknesses