Description
Missing Authorization vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CMSMasters Content Composer: from n/a through <= 2.5.8.
Published: 2026-02-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Composer Functions
Action: Apply Patch
AI Analysis

Impact

A missing authorization check in the CMSMasters Content Composer WordPress plugin allows attackers who can access the administration interface to perform actions that should be restricted to privileged users. The vulnerability is caused by an incorrectly configured access control security level, enabling users without proper permissions to manipulate content composer functionality and potentially alter site content or settings.

Affected Systems

The flaw affects the CMSMasters Content Composer plugin for WordPress on all versions from not applicable through version 2.5.8. Users of WordPress sites that have not upgraded the plugin beyond this version are vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1, indicating a high impact if exploited, while the EPSS score is less than 1% suggesting a low probability of exploitation at this time. It is not included in the CISA Known Exploited Vulnerabilities list, reducing the likelihood of a widespread targeted attack. The attack vector is most likely through the web interface; attackers need to authenticate to the WordPress admin area or leverage another authenticated session to access the vulnerable composer endpoints. The weakness is classified as CWE‑862, a missing authorization flaw.

Generated by OpenCVE AI on April 16, 2026 at 06:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CMSMasters Content Composer to a version newer than 2.5.8 or apply the vendor's fix if available
  • If an upgrade is not immediately possible, restrict access to the composer administration pages using WordPress role capabilities or server‑level access controls to ensure only authorized users can reach the affected functionality
  • Verify that all composer features are properly protected by authentication checks by reviewing the plugin’s access control logic and confirming that only users with the required capabilities can invoke them

Generated by OpenCVE AI on April 16, 2026 at 06:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Cmsmasters
Cmsmasters cmsmasters Content Composer
Wordpress
Wordpress wordpress
Vendors & Products Cmsmasters
Cmsmasters cmsmasters Content Composer
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CMSMasters Content Composer: from n/a through <= 2.5.8.
Title WordPress CMSMasters Content Composer plugin <= 2.5.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Cmsmasters Cmsmasters Content Composer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:46.775Z

Reserved: 2026-01-14T08:36:07.869Z

Link: CVE-2026-23547

cve-icon Vulnrichment

Updated: 2026-02-20T17:07:22.932Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:12.627

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23547

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:45:16Z

Weaknesses