Description
Missing Authorization vulnerability in wppochipp Pochipp pochipp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pochipp: from n/a through < 1.18.9.
Published: 2026-03-13
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch
AI Analysis

Impact

The Pochipp plugin for WordPress contains a missing authorization vulnerability that allows attackers to exploit incorrectly configured access control security levels. This flaw is identified as CWE-862 and can enable an attacker to perform actions or access data that should be protected by the plugin’s intended access controls. The potential impact includes unauthorized viewing or modification of plugin data, configuration settings, or actions that the plugin permits to authenticated users.

Affected Systems

The vulnerability affects all versions of the Pochipp plugin older than 1.18.9 on WordPress sites. Any WordPress installation that has a Pochipp plugin version from the earliest available up to 1.18.8 is potentially impacted.

Risk and Exploitability

The CVSS score for this issue is 5.4, indicating moderate severity. The EPSS score is reported to be less than 1%, suggesting a relatively low likelihood of exploitation in the wild. The vulnerability has not been listed in the CISA KEV catalog. The attack vector is not explicitly described in the vendor data, but based on the description it is inferred that the flaw can be triggered via the WordPress web interface where the plugin’s functionality is accessible.

Generated by OpenCVE AI on March 19, 2026 at 15:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pochipp plugin to version 1.18.9 or later.
  • If an upgrade is not immediately possible, restrict access to plugin functionality by applying WordPress role and capability settings to limit actions to trusted users.
  • Verify that any custom access controls or plugin settings are correctly configured to enforce intended permissions.
  • If the plugin is unused, disable or remove it entirely.

Generated by OpenCVE AI on March 19, 2026 at 15:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wppochipp
Wppochipp pochipp
Vendors & Products Wordpress
Wordpress wordpress
Wppochipp
Wppochipp pochipp

Fri, 13 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in wppochipp Pochipp pochipp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pochipp: from n/a through < 1.18.9.
Title WordPress Pochipp plugin < 1.18.9 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wppochipp Pochipp
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:13.232Z

Reserved: 2026-03-12T11:11:19.858Z

Link: CVE-2026-32417

cve-icon Vulnrichment

Updated: 2026-03-13T18:54:45.994Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:59.117

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:46Z

Weaknesses