Description
Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Sensitive Meeting Data
Action: Immediate Patch
AI Analysis

Impact

The 12 Step Meeting List plugin for WordPress contains a missing authorization flaw that permits users to access or manipulate meeting data that should be restricted. The primary impact is that an attacker with minimal access can view or modify meeting information, potentially exposing confidential schedules or altering content. The weakness maps to CWE-862, a broken access control issue.

Affected Systems

The vulnerability affects AA Web Servant’s 12 Step Meeting List plugin versions up to and including 3.19.9. WordPress sites that have installed any of these versions are at risk and should consider upgrading. No further version details or variants are listed, so any site using an affected version is potentially impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. EPSS indicates a very low likelihood of exploitation (<1%), and the issue is not in the KEV catalog, suggesting limited current exploitation. The likely attack vector is that a visitor or an authenticated user could send crafted HTTP requests to the plugin’s endpoints to bypass normal access controls; this inference comes from the description of “missing authorization” and typical plugin behavior. If the plugin is publicly accessible, attackers might first gather credentials or access the site to exploit the flaw.

Generated by OpenCVE AI on April 10, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the 12 Step Meeting List plugin to a version newer than 3.19.9
  • If an update is not immediately available, disable the plugin or restrict access to its pages
  • Apply any vendor-specified configuration changes to enforce proper access controls
  • Verify that no unauthorized endpoints are accessible by performing a review of the plugin’s functionalities

Generated by OpenCVE AI on April 10, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Aa Web Servant
Aa Web Servant 12 Step Meeting List
Wordpress
Wordpress wordpress
Vendors & Products Aa Web Servant
Aa Web Servant 12 Step Meeting List
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.
Title WordPress 12 Step Meeting List plugin <= 3.19.9 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Aa Web Servant 12 Step Meeting List
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.105Z

Reserved: 2026-04-07T10:48:32.434Z

Link: CVE-2026-39569

cve-icon Vulnrichment

Updated: 2026-04-10T16:44:40.462Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:28.083

Modified: 2026-04-24T18:07:25.343

Link: CVE-2026-39569

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:25:21Z

Weaknesses