Description
Subscriber Broken Access Control in WPCafe <= 3.0.14 versions.
Published: 2026-06-26
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows privileged users to bypass access controls for content or configuration managed by the WPCafe plugin. It could enable an attacker with subscriber level access to view or modify data that should be protected, potentially leading to disclosure or manipulation of site content.

Affected Systems

The vulnerability affects WordPress installations running the WPCafe plugin version 3.0.14 and earlier, provided by the vendor Arraytics. Any site using these plugin versions is at risk.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog, suggesting no known wide‑scale exploitation. While the exact attack vector is not described, it is inferred that an attacker with some level of site access can exploit the broken control to gain unauthorized privileges.

Generated by OpenCVE AI on June 26, 2026 at 16:58 UTC.

Remediation

Vendor Solution

Update the WordPress WPCafe Plugin to the latest available version (at least 3.0.15).

OpenCVE Recommended Actions

  • Update the WPCafe plugin to version 3.0.15 or later.
  • Re‑evaluate and tighten subscriber role permissions to ensure they do not retain unnecessary capabilities.
  • Deploy a security monitoring solution to detect abnormal activity from subscriber accounts.

Generated by OpenCVE AI on June 26, 2026 at 16:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Arraytics
Arraytics wpcafe
Wordpress
Wordpress wordpress
Vendors & Products Arraytics
Arraytics wpcafe
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Subscriber Broken Access Control in WPCafe <= 3.0.14 versions.
Title WordPress WPCafe plugin <= 3.0.14 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Arraytics Wpcafe
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T17:42:46.942Z

Reserved: 2026-06-25T08:03:02.838Z

Link: CVE-2026-57622

cve-icon Vulnrichment

Updated: 2026-06-26T17:26:48.399Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:00:05Z

Weaknesses