Description
Missing Authorization vulnerability in WP connect WP Sync for Notion wp-sync-for-notion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Sync for Notion: from n/a through <= 1.7.0.
Published: 2026-02-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch Now
AI Analysis

Impact

The WP Connect WP Sync for Notion plugin contains a missing authorization flaw that allows visitors or users with minimal privileges to interact with protected plugin features. By bypassing the intended access controls, an attacker could potentially add, edit, or delete content synchronized between WordPress and Notion, or expose sensitive configuration information. The weak point is a classic input or access control problem identified as CWE-862.

Affected Systems

Vendors affected include WP connect and the WordPress plugin WP Sync for Notion. All plugin versions up to and including 1.7.0 are vulnerable; any WordPress site running these versions is at risk.

Risk and Exploitability

This vulnerability receives a CVSS score of 4.3, indicating a moderate impact, and an EPSS score of less than 1%, suggesting a low probability of exploitation in the wild at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to have some level of site access or to be able to trigger plugin actions, so the likely attack vector is local or authenticated via the WordPress admin interface. While the risk is currently low, any site that could expose the plugin’s management URLs or allow unauthenticated users elevated privileges remains a potential target.

Generated by OpenCVE AI on April 16, 2026 at 01:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Sync for Notion plugin to version 1.7.1 or later where the access control issue has been fixed.
  • If an upgrade is not immediately possible, constrain access to the plugin’s administrative pages by enforcing strict role‑based permissions and restricting non‑administrator users from accessing the sync interface.
  • Continuously monitor site logs and plugin activity for unauthorized attempts or abnormal usage patterns.

Generated by OpenCVE AI on April 16, 2026 at 01:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Connect
Wp Connect wp Sync For Notion
Vendors & Products Wordpress
Wordpress wordpress
Wp Connect
Wp Connect wp Sync For Notion

Tue, 03 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WP connect WP Sync for Notion wp-sync-for-notion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Sync for Notion: from n/a through <= 1.7.0.
Title WordPress WP Sync for Notion plugin <= 1.7.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wp Connect Wp Sync For Notion
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:42.141Z

Reserved: 2026-01-28T09:51:55.183Z

Link: CVE-2026-25020

cve-icon Vulnrichment

Updated: 2026-02-03T14:51:09.597Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T15:16:20.197

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25020

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:15:20Z

Weaknesses