CVE-2026-7523 - Vulnerability Details

Description

The Alba Board plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to access arbitrary private alba_card post data, including title, description, assignee, due date, tags, and comments, that is intended to be restricted to Administrators and Editors. The handler is registered via the wp_ajax_nopriv_ hook and its nonce is exposed to all site visitors through wp_localize_script on pages containing the [alba_board] shortcode, making this exploitable by unauthenticated users who can access any such page.

Published: 2026-06-05

Score: 4.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Alba Board WordPress plugin allows an authenticated user with subscriber-level access or any visitor to retrieve private card information, including title, description, assignee, due date, tags, and comments, through a publicly exposed AJAX endpoint. This flaw is a classic authorization bypass (CWE-862) that compromises confidentiality by exposing data that should be visible only to administrators and editors. The impact is a data leak of potentially sensitive project or task details.

Affected Systems

WordPress sites running the Alba Board plugin by alejo30, versions 2.1.3 and earlier. The vulnerability exists in all releases up to and including 2.1.3, so any site that has not upgraded past this version is affected.

Risk and Exploitability

The CVSS score of 4.3 rates the issue as moderate severity. While the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the exposed AJAX endpoint and public nonce mean an attacker can easily gather private card data from any site that displays the [alba_board] shortcode. No authentication or privilege check protects the AJAX handler, so both authenticated subscribers and unauthenticated visitors can exploit the flaw. The risk therefore centers on inadvertent data leakage rather than privilege escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

alejo30

Alba Board

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.1.3

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Alba Board plugin to version 2.1.4 or newer, if available.
If upgrading is not immediately possible, remove or disable the [alba_board] shortcode from publicly accessible pages to prevent the AJAX handler from being invoked.
As a temporary measure, unhook or remove the wp_ajax_nopriv_ endpoint handling the card details request so that unauthenticated requests cannot reach the vulnerable code.

Generated by OpenCVE AI on June 6, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/alba-board/tags/1.1.0/includes/ajax-card-details.php#L12
https://plugins.trac.wordpress.org/browser/alba-board/tags/1.1.0/includes/ajax-card-details.php#L20
https://plugins.trac.wordpress.org/browser/alba-board/tags/2.1.0/includes/ajax-card-details.php#L12
https://plugins.trac.wordpress.org/browser/alba-board/tags/2.1.0/includes/ajax-card-details.php#L20
https://plugins.trac.wordpress.org/browser/alba-board/trunk/includes/ajax-card-details.php#L12
https://plugins.trac.wordpress.org/browser/alba-board/trunk/includes/ajax-card-details.php#L20
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3551180%40alba-board&new=3551180%40alba-board&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/efe57241-2bb3-41d1-8638-b69ceaff0b4f?source=cve

History

Fri, 05 Jun 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		The Alba Board plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to access arbitrary private alba_card post data, including title, description, assignee, due date, tags, and comments, that is intended to be restricted to Administrators and Editors. The handler is registered via the wp_ajax_nopriv_ hook and its nonce is exposed to all site visitors through wp_localize_script on pages containing the [alba_board] shortcode, making this exploitable by unauthenticated users who can access any such page.
Title		Alba Board <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'card_id' Parameter
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/alba-board/tags/1.1.0/includes/ajax-card-details.php#L12 https://plugins.trac.wordpress.org/browser/alba-board/tags/1.1.0/includes/ajax-card-details.php#L20 https://plugins.trac.wordpress.org/browser/alba-board/tags/2.1.0/includes/ajax-card-details.php#L12 https://plugins.trac.wordpress.org/browser/alba-board/tags/2.1.0/includes/ajax-card-details.php#L20 https://plugins.trac.wordpress.org/browser/alba-board/trunk/includes/ajax-card-details.php#L12 https://plugins.trac.wordpress.org/browser/alba-board/trunk/includes/ajax-card-details.php#L20 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3551180%40alba-board&new=3551180%40alba-board&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/efe57241-2bb3-41d1-8638-b69ceaff0b4f?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-05T22:28:07.553Z

Updated: 2026-06-05T22:28:07.553Z

Reserved: 2026-04-30T17:07:14.886Z

Link: CVE-2026-7523

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-05T23:16:44.620

Modified: 2026-06-05T23:16:44.620

Link: CVE-2026-7523

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-06T00:30:08Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object