Description
Subscriber Arbitrary Content Deletion in WPAMS < 49.5.3 versions.
Published: 2026-06-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WPAMS plugin versions prior to 49.5.3 contain a flaw that allows authenticated subscribers to delete arbitrary content. This vulnerability can be exploited to remove posts, pages, or other media created by any user, leading to loss of data and potential disruption of website functionality. The weakness correlates with CWE-862, indicating a privilege escalation flaw where users with limited permissions can perform actions beyond their scope.

Affected Systems

The affected product is the WordPress WPAMS plugin from mojoomla. Users running any version earlier than 49.5.3 are susceptible. No other versions or products are mentioned as impacted.

Risk and Exploitability

The CVSS score of 6.5 places this issue in the medium severity range, while the EPSS score of less than 1% suggests that exploitation is currently uncommon. Because it is not listed in the CISA KEV catalog, there have been no widely known public exploits as of now. An attacker would need to be logged in as a subscriber and exploit the plugin’s deletion endpoint, so the attack surface is limited to authenticated users. Nevertheless, since the flaw lets users delete content beyond their permissions, the potential impact on website integrity is significant.

Generated by OpenCVE AI on June 17, 2026 at 19:39 UTC.

Remediation

Vendor Solution

Update the WordPress MJAMS Plugin to the latest available version (at least 49.5.3).


OpenCVE Recommended Actions

  • Upgrade the WPAMS plugin to version 49.5.3 or later.
  • Revoke or limit deletion permissions for subscriber roles to prevent accidental or malicious removals.
  • Perform a content audit to restore any deleted material and verify backup integrity.

Generated by OpenCVE AI on June 17, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Mojoomla
Mojoomla wpams Plugin
Wordpress
Wordpress wordpress
Vendors & Products Mojoomla
Mojoomla wpams Plugin
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Subscriber Arbitrary Content Deletion in WPAMS < 49.5.3 versions.
Title WordPress WPAMS plugin < 49.5.3 - Arbitrary Content Deletion vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Mojoomla Wpams Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:43:13.208Z

Reserved: 2026-04-07T08:24:21.368Z

Link: CVE-2026-39433

cve-icon Vulnrichment

Updated: 2026-06-17T10:43:08.193Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:45:16Z

Weaknesses