Description
Missing Authorization vulnerability in Obadiah Super Custom Login super-custom-login allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Custom Login: from n/a through <= 1.1.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch Immediately
AI Analysis

Impact

An access control issue in the Super Custom Login plugin allows attackers to bypass authorization checks. The missing authorization permits unauthorized users to reach protected areas or functionality provided by the plugin, potentially exposing sensitive configuration data or enabling further compromise. The weakness aligns with CWE-862, which describes missing or ineffective authorization controls.

Affected Systems

WordPress sites that have the Super Custom Login plugin version 1.1 or earlier installed are affected. The issue was reported for all releases from the initial release through version 1.1 without an earlier fix. Site owners should confirm the plugin version and determine if the plugin is active.

Risk and Exploitability

The CVSS base score of 5.3 places this vulnerability in the medium range. The EPSS score indicates a very low probability of exploitation (<1%). The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation. It is inferred that the attack could be carried out remotely by sending crafted HTTP requests to the plugin without prior authentication.

Generated by OpenCVE AI on April 10, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of Super Custom Login (post‑1.1) as soon as possible.
  • If an update is unavailable, remove or disable the plugin’s public URLs.
  • Review and tighten any custom access controls on the plugin’s settings pages.
  • Monitor WordPress activity logs for signs of unauthorized access attempts.

Generated by OpenCVE AI on April 10, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Fri, 10 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Obadiah
Obadiah super Custom Login
Wordpress
Wordpress wordpress
Vendors & Products Obadiah
Obadiah super Custom Login
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Obadiah Super Custom Login super-custom-login allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Custom Login: from n/a through <= 1.1.
Title WordPress Super Custom Login plugin <= 1.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Obadiah Super Custom Login
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.309Z

Reserved: 2026-04-07T10:48:55.140Z

Link: CVE-2026-39605

cve-icon Vulnrichment

Updated: 2026-04-10T16:38:25.660Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:29.757

Modified: 2026-04-29T10:17:30.443

Link: CVE-2026-39605

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:25:17Z

Weaknesses