Description
Missing Authorization vulnerability in massiveshift AI Workflow Automation ai-workflow-automation-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Workflow Automation: from n/a through <= 1.4.2.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to plugin functions
Action: Patch Now
AI Analysis

Impact

A missing authorization check in the Massiveshift AI Workflow Automation WordPress plugin allows attackers to bypass normal access controls and execute privileged actions on automated workflows. The flaw can be exploited to add, modify, or delete tasks, potentially exposing sensitive information or enabling further compromise. The weakness is identified as missing authorization (CWE‑862).

Affected Systems

The vulnerability affects the Massiveshift AI Workflow Automation plugin for WordPress, version 1.4.2 and older. All releases from the earliest available version up through 1.4.2 are impacted, as the issue exists from the start of the product line until the stated limit.

Risk and Exploitability

The CVSS score of 5.3 classifies the vulnerability as moderate, while the EPSS score below 1% indicates a currently low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is inferred from the description and is a remote HTTP request to the plugin’s administrative endpoints; an attacker may exploit the flaw without needing valid credentials if access controls are misconfigured. Successful exploitation would compromise the integrity and availability of the site’s workflow automation features.

Generated by OpenCVE AI on April 13, 2026 at 21:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AI Workflow Automation plugin to the latest release that contains the fix.
  • If an update is not available, consider disabling the plugin or removing it entirely from the site.
  • Restrict the plugin’s administrative endpoints so that only users with administrator role can access them.
  • Audit WordPress user roles to ensure only trusted administrators have permission to modify workflow automations.
  • Monitor the plugin’s logs for unexpected activity and verify that no unauthorized changes have occurred.

Generated by OpenCVE AI on April 13, 2026 at 21:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Massiveshift
Massiveshift ai Workflow Automation
Wordpress
Wordpress wordpress
Vendors & Products Massiveshift
Massiveshift ai Workflow Automation
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in massiveshift AI Workflow Automation ai-workflow-automation-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Workflow Automation: from n/a through <= 1.4.2.
Title WordPress AI Workflow Automation plugin <= 1.4.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Massiveshift Ai Workflow Automation
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:04.567Z

Reserved: 2026-04-07T10:58:16.464Z

Link: CVE-2026-39699

cve-icon Vulnrichment

Updated: 2026-04-13T18:18:18.070Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:42.437

Modified: 2026-04-24T18:05:35.730

Link: CVE-2026-39699

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:38:26Z

Weaknesses