Description
Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpXmas-Snow: from n/a through <= 1.1.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Apply Patch
AI Analysis

Impact

A missing authorization flaw in the WpXmas‑Snow WordPress plugin allows attackers to bypass access control checks. The vulnerability can enable unauthorized users to execute actions normally reserved for administrators, such as viewing, modifying, or deleting site content. It is identified as CWE‑862, indicating a failure to enforce proper authorization.

Affected Systems

The plugin developed by Pankaj Kumar, version 1.1 and all earlier releases, is affected. Any WordPress site that deploys these versions of the WpXmas‑Snow plugin is at risk.

Risk and Exploitability

With no exploit probability data available, the inherent lack of authorization presents a significant risk of exploitation. An attacker could manipulate HTTP requests to reach plugin endpoints and perform privileged actions without proper authentication. The vulnerability threatens the confidentiality, integrity, or availability of the site if accessed by malicious actors. The problem is not listed in the Known Exploited Vulnerabilities catalogue.

Generated by OpenCVE AI on April 8, 2026 at 10:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WpXmas‑Snow plugin to the latest version that addresses the authorization flaw.
  • If an update is not yet available, deactivate or uninstall the plugin to eliminate the exposed functionality.
  • Limit plugin access by assigning WordPress roles appropriately so that only trusted users can interact with its features.
  • Regularly review and monitor site logs for suspicious activity that may indicate attempts to exploit the access controls.

Generated by OpenCVE AI on April 8, 2026 at 10:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Pankaj Kumar
Pankaj Kumar wpxmas-snow
Wordpress
Wordpress wordpress
Vendors & Products Pankaj Kumar
Pankaj Kumar wpxmas-snow
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpXmas-Snow: from n/a through <= 1.1.
Title WordPress WpXmas-Snow plugin <= 1.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Pankaj Kumar Wpxmas-snow
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:23.579Z

Reserved: 2026-04-07T10:48:55.140Z

Link: CVE-2026-39610

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:30.440

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39610

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:42:07Z

Weaknesses