Description
Missing Authorization vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Posts Carousel Pro: from n/a through <= 15.1.
Published: 2026-03-05
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Broken Access Control
Action: Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw that permits exploitation of incorrectly configured access control security levels. The primary consequence is that an attacker can gain elevated privileges within the Responsive Posts Carousel Pro plugin, potentially modifying or deleting carousel content or configuration. This flaw falls under the CWE-862 category, which denotes an authority-control weakness.

Affected Systems

The affected product is the WebCodingPlace Responsive Posts Carousel Pro plugin for WordPress, with vulnerability ranging from an unspecified initial version through version 15.1. No specific full CPE strings are provided, so the impact is limited to WordPress sites that have installed any version of the plugin up to and including 15.1.

Risk and Exploitability

The CVSS score of 7.5 indicates a high-severity vulnerability, but the EPSS score is listed as less than 1% and the flaw is not featured in the CISA KEV catalog, suggesting low exploitation probability in the wild. The likely attack vector is remote, via the WordPress web interface, potentially requiring an authenticated user with insufficient privileges or a misconfigured role. Only a user that can navigate the plugin’s administrative panel could exploit the missing authorization checks to alter plugin data or settings.

Generated by OpenCVE AI on April 15, 2026 at 23:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Responsive Posts Carousel Pro plugin to a version newer than 15.1.
  • If an upgrade is not immediately possible, restrict access to the plugin’s admin pages using IP whitelisting or by disabling the plugin for non‑administrator roles.
  • Ensure that WordPress role permissions are correctly configured so that only administrators or designated editors can manage plugin settings, thereby mitigating the broken access control flaw.

Generated by OpenCVE AI on April 15, 2026 at 23:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Webcodingplace
Webcodingplace responsive Posts Carousel Pro
Wordpress
Wordpress wordpress
Vendors & Products Webcodingplace
Webcodingplace responsive Posts Carousel Pro
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Posts Carousel Pro: from n/a through <= 15.1.
Title WordPress Responsive Posts Carousel Pro plugin <= 15.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Webcodingplace Responsive Posts Carousel Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:11.193Z

Reserved: 2026-02-19T09:51:48.838Z

Link: CVE-2026-27361

cve-icon Vulnrichment

Updated: 2026-03-09T18:32:21.468Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:25.947

Modified: 2026-03-09T19:16:05.070

Link: CVE-2026-27361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:45:05Z

Weaknesses