Description
Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPVulnerability: from n/a through <= 4.2.1.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

A missing authorization check in the WPVulnerability plugin allows users that should not have privileges to view or change sensitive settings. This flaw permits an attacker to bypass normal access controls to the plugin’s configuration and potentially other protected resources, leading to unauthorized data exposure or modification. The weakness corresponds to a broken access control vulnerability classified as CWE‑862 and carries a moderate severity rating.

Affected Systems

The affected product is the WPVulnerability plugin developed by Javier Casares for WordPress. All releases with a version number of 4.2.1 or earlier are vulnerable; versions newer than 4.2.1 are not documented as affected.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate risk, and the EPSS score of less than 1% suggests that large‑scale exploitation is currently unlikely. The flaw does not require any privileged state on the server; access can be achieved remotely by interacting with the plugin’s administrative endpoints, a conclusion inferred from the description of missing authorization. Although no public exploits are listed and the issue is not featured in CISA’s KEV catalog, the potential for unauthorized control warrants timely remediation.

Generated by OpenCVE AI on March 26, 2026 at 19:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPVulnerability plugin to the latest available version (4.2.2 or newer).
  • Verify the upgrade by confirming the plugin version number in the WordPress administration panel.

Generated by OpenCVE AI on March 26, 2026 at 19:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Javier Casares
Javier Casares wpvulnerability
Wordpress
Wordpress wordpress
Vendors & Products Javier Casares
Javier Casares wpvulnerability
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPVulnerability: from n/a through <= 4.2.1.
Title WordPress WPVulnerability plugin <= 4.2.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Javier Casares Wpvulnerability
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:04.966Z

Reserved: 2026-01-22T14:42:40.516Z

Link: CVE-2026-24376

cve-icon Vulnrichment

Updated: 2026-03-26T16:32:32.639Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:37.930

Modified: 2026-04-23T15:36:44.250

Link: CVE-2026-24376

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:27Z

Weaknesses