Description
Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through <= 2.19.17.
Published: 2026-02-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification or configuration change due to missing authorization
Action: Immediate Upgrade
AI Analysis

Impact

The vulnerability arises from a missing authorization check that allows incorrectly configured access control. A user who can access the Spectra plugin’s administrative interfaces could potentially modify plugin settings or other site data, leading to unauthorized changes. The weakness is a classic missing authorization flaw (CWE-862) and could be used to alter content or otherwise compromise the site’s configuration.

Affected Systems

WordPress installations that run the Brainstorm Force Spectra plugin – any version from the earliest release up through 2.19.17 – are affected. Sites that have not updated this plugin beyond version 2.19.17 remain vulnerable.

Risk and Exploitability

The CVSS score of 5.3 places the issue in the medium severity range. EPSS indicates an exploitation probability of less than 1%, showing a low likelihood of being targeted. The vulnerability is not listed in the CISA KEV catalog, suggesting that no widespread exploitation has been observed. The likely attack vector would involve an attacker accessing the plugin’s administrative endpoints; the ability to do so depends on the site’s current user privileges and any existing authentication mechanisms. Overall, while the risk is moderate, the impact of a successful exploit could allow unauthenticated or low-privilege users to alter plugin and potentially site settings.

Generated by OpenCVE AI on April 16, 2026 at 01:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Spectra plugin to a version higher than 2.19.17 in order to remove the missing authorization flaw
  • Restrict access to the plugin’s administrative pages and any custom endpoints by ensuring only WordPress administrator roles can reach them, adding capability checks if necessary
  • Review WordPress user roles and capabilities to confirm that only trusted users have permissions to modify plugin settings, and consider applying a security plugin to monitor and block anomalous requests

Generated by OpenCVE AI on April 16, 2026 at 01:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Brainstormforce
Brainstormforce spectra
Wordpress
Wordpress wordpress
Vendors & Products Brainstormforce
Brainstormforce spectra
Wordpress
Wordpress wordpress

Tue, 03 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through <= 2.19.17.
Title WordPress Spectra plugin <= 2.19.17 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Brainstormforce Spectra
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:36.884Z

Reserved: 2026-01-28T09:50:46.305Z

Link: CVE-2026-24982

cve-icon Vulnrichment

Updated: 2026-02-03T16:50:17.567Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T15:16:17.373

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24982

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:30:20Z

Weaknesses