Description
Missing Authorization vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wp Ultimate Review: from n/a through <= 2.3.8.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Update Plugin
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows attackers to exploit incorrect access control settings in the Wp Ultimate Review plugin. Because the plugin fails to enforce proper permissions, a malicious user can potentially read, modify, or delete reviews and other managed content. This flaw directly undermines the confidentiality and integrity of site data within WordPress sites that use affected plugin versions.

Affected Systems

The affected product is the Roxnor Wp Ultimate Review WordPress plugin. All releases from the earliest available version up to and including 2.3.8 are impacted. No specific patch levels are listed beyond the version ceiling of 2.3.8.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity, while the EPSS score of less than 1% suggests a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the plugin is accessed via the WordPress web interface, the attack vector is inferred to be remote and network based, potentially allowing attackers to target the site over the internet. Exploitation requires the ability to access the plugin’s administrative functionality, which may be limited by existing permissions on the site.

Generated by OpenCVE AI on April 9, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Wp Ultimate Review plugin to a version higher than 2.3.8 as soon as an update is available.
  • Confirm that the new plugin version has the broken access control issue patched.
  • Review and limit administrative and review management user roles to the minimum necessary permissions.
  • Audit site logs for any suspicious review‑related activity that might indicate prior exploitation.
  • Maintain an ongoing security monitoring plan for WordPress plugins and core updates.

Generated by OpenCVE AI on April 9, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Roxnor
Roxnor wp Ultimate Review
Wordpress
Wordpress wordpress
Vendors & Products Roxnor
Roxnor wp Ultimate Review
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wp Ultimate Review: from n/a through <= 2.3.8.
Title WordPress Wp Ultimate Review plugin <= 2.3.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Roxnor Wp Ultimate Review
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-09T15:34:12.969Z

Reserved: 2026-04-07T10:57:48.107Z

Link: CVE-2026-39644

cve-icon Vulnrichment

Updated: 2026-04-09T15:33:43.987Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:35.213

Modified: 2026-04-24T18:06:24.707

Link: CVE-2026-39644

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:40:46Z

Weaknesses