Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms-popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Terms Popup: from n/a through <= 2.10.0.
AnalysisAI
A missing authorization vulnerability exists in WP Terms Popup plugin for WordPress (versions through 2.10.0) that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability, classified as CWE-862 (Missing Authorization), enables unauthenticated or low-privileged attackers to access restricted functionality without proper permission checks. This issue was reported by Patchstack and affects all installations of the plugin up to and including version 2.10.0.
Technical ContextAI
The vulnerability resides in the WP Terms Popup plugin (identified via CPE cpe:2.3:a:link_software_llc:wp_terms_popup:*:*:*:*:*:*:*:*), a WordPress plugin developed by Link Software LLC. The root cause is classified under CWE-862 (Missing Authorization), which indicates the application fails to perform proper authorization checks before allowing access to restricted resources or functions. In WordPress plugin contexts, this typically manifests as missing nonce validation, inadequate capability checks, or improper AJAX endpoint protection. The plugin handles terms-related popup functionality, and the broken access control allows bypassing the intended permission model that should restrict who can configure or trigger these popups.
RemediationAI
Immediately upgrade WP Terms Popup to a version newer than 2.10.0, with the specific patched version available from the plugin's official repository or via the Patchstack advisory link (https://patchstack.com/database/Wordpress/Plugin/wp-terms-popup/vulnerability/wordpress-wp-terms-popup-plugin-2-10-0-broken-access-control-vulnerability?_s_id=cve). If an immediate patch is unavailable, temporarily disable the WP Terms Popup plugin to prevent unauthorized access to popup configuration functions. As a complementary control, enforce authentication and authorization checks at the WordPress application level by limiting plugin functionality to authenticated users via user role restrictions in WordPress settings, and audit plugin access logs to detect exploitation attempts.
More in Wp Terms Popup
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15839
GHSA-x5qc-mg7g-45gj