Description
Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Authors: from n/a through <= 4.10.1.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

The plugin contains a missing‑authorization vulnerability that lets attackers exploit incorrectly configured access control levels. This flaw, identified as a missing‑authorization weakness, can allow a user to perform actions normally reserved for higher‑privilege roles, such as editing or deleting content, modifying user capabilities, or accessing sensitive data, thereby compromising the confidentiality, integrity, and availability of the WordPress site.

Affected Systems

WordPress installations using the PublishPress Authors plugin version 4.10.1 or earlier are affected. The issue spans all releases of the plugin from its earliest version through 4.10.1, regardless of the underlying WordPress version.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is classified as high severity, while an EPSS score of less than 1% indicates current exploitation risk is low, although it could rise if the flaw becomes widely known. The vulnerability is not listed in the CISA KEV catalog, suggesting no documented widespread exploitation yet. Attackers most likely reach the vulnerable code via the WordPress web interface, where the plugin’s author or admin endpoints are exposed; if an unauthenticated or low‑privilege user can access these endpoints, the missing authorization can be abused to perform privileged actions.

Generated by OpenCVE AI on March 27, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PublishPress Authors plugin to version 4.10.2 or newer
  • Restrict author role permissions and verify that only authorized users possess editor or admin capabilities
  • Monitor site logs for suspicious activity and apply future patches promptly

Generated by OpenCVE AI on March 27, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Publishpress
Publishpress publishpress Authors
Wordpress
Wordpress wordpress
Vendors & Products Publishpress
Publishpress publishpress Authors
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Authors: from n/a through <= 4.10.1.
Title WordPress PublishPress Authors plugin <= 4.10.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Publishpress Publishpress Authors
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-27T14:47:57.176Z

Reserved: 2026-02-02T12:20:39.016Z

Link: CVE-2026-25309

cve-icon Vulnrichment

Updated: 2026-03-27T14:46:35.274Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:43.800

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:25Z

Weaknesses