Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Studio99 Studio99 WP Monitor studio99-wp-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Studio99 WP Monitor: from n/a through <= 1.0.3.
AnalysisAI
Studio99 WP Monitor versions through 1.0.3 contain a missing authorization vulnerability (CWE-862) that allows unauthenticated attackers to modify data or settings due to incorrectly configured access controls. The vulnerability has a CVSS score of 5.3 with a network attack vector requiring no privileges or user interaction, enabling integrity compromise without authentication. There is no indication of active exploitation in the wild or public proof-of-concept code at this time, though the low attack complexity and network accessibility make this a moderate priority for WordPress site administrators running this monitoring plugin.
Technical ContextAI
Studio99 WP Monitor is a WordPress plugin designed for site monitoring and administration. The vulnerability stems from CWE-862 (Missing Authorization), which occurs when the application fails to properly verify user permissions before allowing access to sensitive operations or data modification endpoints. In WordPress plugins, this typically manifests as missing capability checks on AJAX handlers, REST API endpoints, or admin form submissions. The affected product (cpe:2.3:a:studio99:studio99-wp-monitor) uses the standard WordPress authentication and authorization framework, but the plugin developers failed to implement proper nonce validation, role checks, or capability verification on critical functionality, allowing any network-based attacker to craft requests that bypass access control layers and modify plugin settings or monitored data.
RemediationAI
The primary remediation is to upgrade Studio99 WP Monitor to a version newer than 1.0.3 where authorization checks have been implemented. Administrators should check the WordPress plugin repository or Studio99's official website for patch availability and apply updates immediately through the standard WordPress plugin update mechanism. As an interim mitigation if patching is delayed, restrict access to the WordPress admin dashboard and plugin settings to trusted IP addresses using a WAF or web server configuration, disable unnecessary AJAX endpoints if the plugin exposes them, and implement Web Application Firewall rules to detect and block requests attempting to modify plugin settings without proper authentication tokens. Additionally, enable WordPress security logging and monitor access logs for suspicious requests to the plugin's functionality endpoints.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11921