Description
Missing Authorization vulnerability in tstephenson WP-CORS wp-cors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CORS: from n/a through <= 0.2.2.
Published: 2026-02-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access Due to Missing Authorization
Action: Patch Now
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the tstephenson WP-CORS WordPress plugin, allowing an attacker to exploit incorrectly configured access control levels. This flaw can let an unauthorized user view or modify protected resources exposed by the plugin, potentially leading to data disclosure or manipulation. As a CWE‑862 missing authorization issue, the primary impact is unauthorized access to content or configuration data.

Affected Systems

Affected systems are WordPress sites that have the tstephenson WP-CORS plugin installed at version 0.2.2 or earlier. Any deployment of this plugin without an upgrade is vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates low to moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, so no confirmed public exploits are documented. Attackers would likely perform the exploitation remotely by sending crafted HTTP requests to the plugin’s endpoints; no local privilege escalation or execution is required.

Generated by OpenCVE AI on April 16, 2026 at 00:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP-CORS plugin to the latest version (>=0.2.3) to apply the missing authorization fix.
  • If an update is not immediately possible, disable the WP-CORS plugin or restrict its exposure to trusted IP ranges.
  • Review and enforce strong authentication and role permissions on your WordPress instance to limit potential damage from any plugin‑related exposure.

Generated by OpenCVE AI on April 16, 2026 at 00:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Tstephenson
Tstephenson wp-cors
Wordpress
Wordpress wordpress
Vendors & Products Tstephenson
Tstephenson wp-cors
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in tstephenson WP-CORS wp-cors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CORS: from n/a through <= 0.2.2.
Title WordPress WP-CORS plugin <= 0.2.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Tstephenson Wp-cors
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:56.119Z

Reserved: 2026-02-02T12:53:19.001Z

Link: CVE-2026-25410

cve-icon Vulnrichment

Updated: 2026-02-19T21:06:09.916Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:22.743

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25410

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:30:18Z

Weaknesses