Description
Missing Authorization vulnerability in redpixelstudios RPS Include Content rps-include-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RPS Include Content: from n/a through <= 1.2.2.
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch
AI Analysis

Impact

The RPS Include Content plugin for WordPress contains a missing authorization flaw that allows users to access the plugin’s endpoints without passing the required permission checks. Because the plugin does not enforce user role validation, any visitor who can reach those URLs can invoke the exposed functionality. This issue is classified as CWE‑862, Missing Authorization.

Affected Systems

WordPress sites that have installed the redpixelstudios RPS Include Content plugin version 1.2.2 or earlier are affected. The vulnerability applies to all users who can reach the plugin’s endpoints regardless of their role within WordPress.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate severity. The EPSS score is less than 1 %, suggesting a low likelihood of exploitation in the short term. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, so no public exploit is documented. The most likely attack vector is remote access to the website’s public URLs, as the plugin’s endpoints can be reached via the web interface; this inference is not directly stated in the input.

Generated by OpenCVE AI on April 9, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the plugin’s official site or repository for an update that addresses the authorization issue and apply the patch as soon as it becomes available.
  • If no patch is available, consider disabling or uninstalling the RPS Include Content plugin until a fixed version is released.
  • Restrict access to the plugin’s administrative URLs using .htaccess or equivalent firewall rules so that only trusted administrators can reach them.

Generated by OpenCVE AI on April 9, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Redpixelstudios
Redpixelstudios rps Include Content
Wordpress
Wordpress wordpress
Vendors & Products Redpixelstudios
Redpixelstudios rps Include Content
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in redpixelstudios RPS Include Content rps-include-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RPS Include Content: from n/a through <= 1.2.2.
Title WordPress RPS Include Content plugin <= 1.2.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Redpixelstudios Rps Include Content
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.943Z

Reserved: 2026-04-07T10:57:43.491Z

Link: CVE-2026-39639

cve-icon Vulnrichment

Updated: 2026-04-09T15:52:06.662Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:34.670

Modified: 2026-04-29T10:17:34.743

Link: CVE-2026-39639

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:40:48Z

Weaknesses