Description
Unauthenticated Multiple Vulnerabilities in BitFire Security <= 5.0.3 versions.
Published: 2026-06-26
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

BitFire Security, a WordPress plugin by Cory Marsh, contains multiple vulnerabilities that can be triggered without authentication. These weaknesses enable an attacker to perform unauthorized actions within the WordPress site, potentially compromising data confidentiality, integrity, or availability. The primary weakness is described by CWE-1284, indicating an authorization flaw that permits feature usage beyond intended user access levels.

Affected Systems

WordPress installations running BitFire Security plugin version 5.0.3 or earlier are affected. The vulnerability applies to all sites that have not updated the plugin to the latest released version (at least 5.0.4). No additional system requirements are specified; the issue is confined to the plugin code itself.

Risk and Exploitability

The CVSS score of 8.6 reflects a high severity level, with a likely exploitation path that involves sending crafted requests to the plugin’s exposed endpoints without any authentication. Although no EPSS score is available, there is no evidence of current exploitation or a listing in the CISA KEV catalog, suggesting that active attacks are not documented. Nevertheless, the high CVSS combined with unauthenticated access indicates a significant risk that security teams should address promptly.

Generated by OpenCVE AI on June 26, 2026 at 16:40 UTC.

Remediation

Vendor Solution

Update the WordPress BitFire Security Plugin to the latest available version (at least 5.0.4).

OpenCVE Recommended Actions

  • Update the WordPress BitFire Security Plugin to version 5.0.4 or later.
  • If an upgrade cannot be performed immediately, disable the BitFire Security plugin to prevent unauthenticated exploitation.
  • Apply site‑level access controls to restrict plugin URLs to authenticated administrative users only.

Generated by OpenCVE AI on June 26, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Multiple Vulnerabilities in BitFire Security <= 5.0.3 versions.
Title WordPress BitFire Security plugin <= 5.0.3 - Multiple Vulnerabilities vulnerability
Weaknesses CWE-1284
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T20:18:20.295Z

Reserved: 2026-06-18T14:37:40.347Z

Link: CVE-2026-56035

cve-icon Vulnrichment

Updated: 2026-06-26T20:18:15.652Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:45:03Z

Weaknesses
  • CWE-1284

    Improper Validation of Specified Quantity in Input