Description
Missing Authorization vulnerability in Wpbens Filter Plus filter-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Filter Plus: from n/a through <= 1.1.17.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a missing authorization flaw in the WordPress “Filter Plus” plugin that allows users without proper privileges to perform actions such as modifying filter settings or accessing administrative functions. Because the plugin’s access checks are incorrectly configured, an attacker can elevate privileges within the site, potentially taking full control of the site’s configuration. The weakness originates from a failure to validate user roles before executing sensitive operations, classifying it as a missing authorization issue.

Affected Systems

WordPress sites that have installed the Wpbens Filter Plus plugin version 1.1.17 or earlier. Any site using that plugin without updating beyond the specified release is vulnerable, regardless of other active plugins or themes.

Risk and Exploitability

The CVSS score and exploit probability are not provided, but the missing authorization flaw warrants high severity. The likely attack vector is inferred to be remote exploitation through crafted HTTP requests to the plugin’s endpoints, requiring an authenticated user who lacks the necessary permissions. Because the plugin does not enforce proper access checks, any such user can trigger the vulnerable behavior. No current exploitation has been reported and the issue is not listed in the CISA KEV catalog, yet the risk remains significant due to the ease of triggering the flaw once credentials are obtained.

Generated by OpenCVE AI on April 8, 2026 at 10:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Filter Plus plugin to version 1.1.18 or newer.
  • If an upgrade cannot be performed immediately, disable the plugin until a patch is applied.
  • Restrict the plugin’s files using web server access controls or file permissions to prevent unauthorized execution.
  • Verify that WordPress user accounts have the appropriate roles and that no users possess superfluous privileges that could enable re‑activation of the plugin.

Generated by OpenCVE AI on April 8, 2026 at 10:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpbens
Wpbens filter Plus
Vendors & Products Wordpress
Wordpress wordpress
Wpbens
Wpbens filter Plus

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Wpbens Filter Plus filter-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Filter Plus: from n/a through <= 1.1.17.
Title WordPress Filter Plus plugin <= 1.1.17 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wpbens Filter Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:22.832Z

Reserved: 2026-04-07T10:48:55.140Z

Link: CVE-2026-39607

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:30.033

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39607

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:42:10Z

Weaknesses