Description
Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCafe: from n/a through <= 3.0.7.
Published: 2026-03-25
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Missing Authorization
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the WordPress WPCafe plugin that allows exploitation of incorrectly configured access control levels. An attacker can use this flaw to access functions or data that should be restricted, potentially gaining privileged actions or exposing sensitive information. The flaw is classified as CWE‑862, missing authorization, and can lead to serious confidentiality and integrity breaches if exploited.

Affected Systems

The affected product is the WordPress WPCafe plugin made by Arraytics. All versions from the first release up to and including 3.0.7 are vulnerable. Site administrators should confirm whether their installations fall within this range and take corrective action.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity risk. However, the EPSS score is less than 1%, suggesting that current exploitation activity is low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to involve an authenticated user or an attacker with some form of access to the WordPress dashboard interacting with the plugin’s endpoints. Proper monitoring for anomalous activity is recommended due to the potential for privilege escalation.

Generated by OpenCVE AI on March 26, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPCafe plugin to version 3.0.8 or later.
  • If an update is not immediately possible, consider disabling or removing the plugin until a secure version is available.
  • Verify the plugin’s configuration to ensure that role and capability settings are correctly applied and no elevated permissions are granted.
  • Monitor site logs for unusual access or changes related to the plugin to detect potential exploitation attempts.

Generated by OpenCVE AI on March 26, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Arraytics
Arraytics wpcafe
Wordpress
Wordpress wordpress
Vendors & Products Arraytics
Arraytics wpcafe
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCafe: from n/a through <= 3.0.7.
Title WordPress WPCafe plugin <= 3.0.7 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Arraytics Wpcafe
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T19:53:48.371Z

Reserved: 2026-02-17T13:23:51.341Z

Link: CVE-2026-27071

cve-icon Vulnrichment

Updated: 2026-03-26T19:52:16.569Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:54.660

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-27071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:28Z

Weaknesses