Description
Authorization Bypass Through User-Controlled Key vulnerability in cnvrse Cnvrse cnvrse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cnvrse: from n/a through < 026.02.10.20.
Published: 2026-02-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass via IDOR leading to unauthorized access to protected resources
Action: Immediate Patch
AI Analysis

Impact

The Cnvrse plugin allows a user‑controlled key to be used in place of proper access controls, enabling an attacker to request the direct URL of protected objects without proper authorization. This Authorization Bypass Through User‑Controlled Key flaw can expose sensitive content or functionality that should be restricted, potentially exposing confidential data or system configuration to an attacker. The flaw is tied to CWE‑639 and manifests as an Insecure Direct Object Reference weakness.

Affected Systems

WordPress installations that have the Cnvrse plugin version 026.02.10.20 or earlier are vulnerable. The CNA list identifies the product as "cnvrse" from version n/a through the mentioned release. No other vendors or products are listed, so the risk is limited to users running the affected plugin within WordPress sites.

Risk and Exploitability

The CVSS score of 7.5 indicates a high‑severity vulnerability, while the EPSS score of <1% suggests that exploitation attempts are currently rare. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is internal or authenticated, where a user can supply a crafted key or parameter to bypass access checks. An attacker with access to the affected WordPress dashboard or who can inject the key into requests could retrieve or manipulate objects that should be protected.

Generated by OpenCVE AI on April 27, 2026 at 20:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Cnvrse plugin to version 026.02.10.21 or newer, when it becomes available, which removes the vulnerable key handling logic.
  • If an update cannot be applied immediately, restrict the plugin’s access control by limiting which user roles can execute the vulnerable functions, ensuring only administrators or trusted roles have permission.
  • Review and harden the site’s overall authorization settings, ensuring that all data and URL endpoints are protected by proper capability checks and audit the logs for unauthorized access attempts.

Generated by OpenCVE AI on April 27, 2026 at 20:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in cnvrse Cnvrse cnvrse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cnvrse: from n/a through <= 026.02.10.20. Authorization Bypass Through User-Controlled Key vulnerability in cnvrse Cnvrse cnvrse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cnvrse: from n/a through < 026.02.10.20.
Title WordPress Cnvrse plugin <= 026.02.10.20 - Insecure Direct Object References (IDOR) vulnerability WordPress Cnvrse plugin < 026.02.10.20 - Insecure Direct Object References (IDOR) vulnerability

Fri, 27 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Cnvrse
Cnvrse cnvrse
Wordpress
Wordpress wordpress
Vendors & Products Cnvrse
Cnvrse cnvrse
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in cnvrse Cnvrse cnvrse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cnvrse: from n/a through <= 026.02.10.20.
Title WordPress Cnvrse plugin <= 026.02.10.20 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References

Subscriptions

Cnvrse Cnvrse
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:40.031Z

Reserved: 2025-12-31T20:13:16.054Z

Link: CVE-2025-69394

cve-icon Vulnrichment

Updated: 2026-02-27T17:54:56.132Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:24.970

Modified: 2026-04-27T19:16:46.433

Link: CVE-2025-69394

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:30:12Z

Weaknesses