Description
Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JW Player for WordPress: from n/a through <= 2.3.6.
Published: 2026-04-08
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Broken Access Control
Action: Patch Immediately
AI Analysis

Impact

The ilGhera JW Player for WordPress plugin contains a missing authorization check that permits unauthenticated users to access certain plugin functionalities. This lack of proper access control is identified as CWE‑862 and can potentially expose restricted media content or plugin configuration data to non‑privileged users. The vulnerability does not claim the ability to alter data; it specifically concerns the ability to view content that should be protected.

Affected Systems

All WordPress installations that use the ilGhera JW Player for WordPress plugin up through version 2.3.6 are affected. Site administrators should verify the installed plugin version and check whether any instances of the plugin are present on their sites.

Risk and Exploitability

The medium CVSS score of 5.4 indicates a moderate level of risk, while the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on the description of a missing authorization mechanism, the likely attack vector involves crafted HTTP requests to plugin endpoints that do not enforce proper access checks. Because no proof‑of‑concept is available publicly, the exact exploitation requirements remain inferred, but the risk remains that attackers could retrieve restricted media or configuration information.

Generated by OpenCVE AI on April 13, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JW Player for WordPress plugin to a version newer than 2.3.6
  • Confirm that the site no longer accepts unauthorized access to the plugin’s media or settings endpoints

Generated by OpenCVE AI on April 13, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Ilghera
Ilghera jw Player For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Ilghera
Ilghera jw Player For Wordpress
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JW Player for WordPress: from n/a through <= 2.3.6.
Title WordPress JW Player for WordPress plugin <= 2.3.6 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Ilghera Jw Player For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.597Z

Reserved: 2026-04-07T10:57:27.974Z

Link: CVE-2026-39614

cve-icon Vulnrichment

Updated: 2026-04-13T18:44:31.896Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:31.190

Modified: 2026-04-29T10:17:31.547

Link: CVE-2026-39614

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:39:03Z

Weaknesses