Description
Missing Authorization vulnerability in sendy Sendy sendy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sendy: from n/a through <= 3.4.2.
Published: 2026-02-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Sendy WordPress plugin suffers from a missing authorization check that allows attackers to bypass the configured security levels. This flaw is a classic broken access control issue (CWE‑862), enabling users who should not have certain privileges to gain unauthorized actions within the plugin. Such unauthorized use can compromise both the confidentiality and integrity of the data handled by the plugin.

Affected Systems

WordPress sites that have installed the Sendy plugin up to and including version 3.4.2 are vulnerable. All users of these installations are at risk if the plugin is not patched or removed.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while an EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is inferred to be through the web interface and requires the attacker to interact with the plugin’s functionalities. Because it is a broken access control flaw, an attacker can potentially maintain access to restricted actions if they have already authenticated, or could exploit the vulnerability without authentication if the plugin exposes administrative endpoints improperly.

Generated by OpenCVE AI on April 29, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Sendy plugin to the latest release that contains the fix for this vulnerability.
  • If an update cannot be applied immediately, disable or uninstall the Sendy plugin to eliminate the exposed functionality.
  • Review and tighten WordPress role and capability settings so that only authorized users have access to the plugin’s features, following best practices for access control.

Generated by OpenCVE AI on April 29, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Wed, 25 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Sendy
Sendy sendy
Wordpress
Wordpress wordpress
Vendors & Products Sendy
Sendy sendy
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in sendy Sendy sendy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sendy: from n/a through <= 3.4.2.
Title WordPress Sendy plugin <= 3.4.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Sendy Sendy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:30.399Z

Reserved: 2025-12-19T10:17:28.556Z

Link: CVE-2025-68564

cve-icon Vulnrichment

Updated: 2026-02-25T17:06:08.824Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:12.303

Modified: 2026-04-27T19:16:30.887

Link: CVE-2025-68564

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:30:16Z

Weaknesses