Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in raratheme Influencer influencer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Influencer: from n/a through <= 1.1.7.
AnalysisAI
Improper access control in raratheme Influencer through version 1.1.7 allows unauthenticated remote attackers to modify data or resources due to incorrectly configured authorization checks. The vulnerability requires no user interaction and can be exploited over the network, though no patch is currently available.
Technical ContextAI
The vulnerability exists in the raratheme Influencer plugin (identified via CPE as cpe:2.3:a:raratheme:influencer), which is a WordPress plugin framework for influencer management and collaboration. The root cause is classified under CWE-862 (Missing Authorization), indicating that the plugin fails to properly enforce authorization checks on sensitive operations, likely in REST API endpoints or form handlers that process requests without validating user permissions. This is a common misconfiguration in WordPress plugin development where developers implement functionality but fail to add proper capability checks (is_user_logged_in(), current_user_can()) or nonce verification before processing critical operations. The affected versions through 1.1.7 suggest the vulnerability has persisted across multiple releases without remediation.
RemediationAI
Immediately upgrade the raratheme Influencer plugin to the first patched version released after 1.1.7 through the WordPress plugin management interface or via direct download from the official raratheme repository. If immediate patching is not possible, implement network-level access controls by restricting HTTP POST/PUT/DELETE requests to the plugin's REST API endpoints to authenticated users only, configure a Web Application Firewall (WAF) rule to require valid authentication headers, and audit recent access logs for any unauthorized modification attempts. Additionally, review plugin-generated data integrity through backup restoration and audit trails to identify any malicious changes that may have occurred during the vulnerability window.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11866