Description
Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JW Player for WordPress: from n/a through <= 2.3.6.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to protected media content
Action: Patch
AI Analysis

Impact

A missing authorization flaw in the ilGhera JW Player for WordPress plugin enables users without proper privileges to bypass the plugin's configured access‑control settings and view media files that should remain restricted. The weakness is classified as a classic authorization bypass, documented as CWE‑862, and can lead to the exposure of confidential audio or video assets. Because the plugin controls media delivery, an attacker could retrieve large amounts of proprietary content or manipulate it, impacting confidentiality and integrity.

Affected Systems

The issue affects the JW Player for WordPress plugin released by ilGhera. All publicly available versions up to and including 2.3.6 are vulnerable. Earlier releases are not explicitly listed but are presumed affected unless later versions are known to fix the issue.

Risk and Exploitability

Exploitation requires only web access to a WordPress site hosting the affected plugin; an attacker can send requests to the plugin’s media endpoints to retrieve hidden files. The CVE metadata does not provide an official CVSS or EPSS score, but bypassing access control is inherently critical. The vulnerability is not recorded in the CISA KEV catalog. Because no privileges such as authentication are required, the risk remains high for any site with the plugin installed.

Generated by OpenCVE AI on April 8, 2026 at 10:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JW Player for WordPress to a release newer than 2.3.6
  • If an upgrade is not feasible, remove or disable the JW Player plugin from the WordPress installation
  • After applying a fix or removal, verify that media access controls function as intended

Generated by OpenCVE AI on April 8, 2026 at 10:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Ilghera
Ilghera jw Player For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Ilghera
Ilghera jw Player For Wordpress
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JW Player for WordPress: from n/a through <= 2.3.6.
Title WordPress JW Player for WordPress plugin <= 2.3.6 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Ilghera Jw Player For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:24.340Z

Reserved: 2026-04-07T10:57:27.974Z

Link: CVE-2026-39614

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:31.190

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39614

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:42:02Z

Weaknesses