Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in wp-configurator WP Configurator Pro wp-configurator-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Configurator Pro: from n/a through <= 3.7.9.
AnalysisAI
WP Configurator Pro contains a missing authorization vulnerability (CWE-862) that allows attackers to bypass access controls and exploit incorrectly configured security levels within the plugin. All versions of WP Configurator Pro through version 3.7.9 are affected. An attacker can gain unauthorized access to sensitive configuration functions and data by circumventing the broken access control mechanisms, potentially compromising WordPress site integrity and confidentiality.
Technical ContextAI
The vulnerability resides in the WP Configurator Pro WordPress plugin (identified via CPE cpe:2.3:a:wp-configurator:wp_configurator_pro:*:*:*:*:*:*:*:*), which provides configuration management functionality for WordPress installations. The root cause is classified as CWE-862 (Missing Authorization), indicating that the plugin fails to properly verify user permissions before granting access to sensitive administrative or configuration functions. WordPress plugins of this type typically handle site-wide settings and configurations, and improper access control allows unauthenticated or insufficiently privileged users to modify these settings. The vulnerability affects the plugin's core access control logic, where authorization checks are either missing, improperly implemented, or bypassed through parameter manipulation.
RemediationAI
The primary remediation is to upgrade WP Configurator Pro to a patched version beyond 3.7.9 as soon as a security update is released by the vendor. Site administrators should check the Patchstack advisory and the plugin's official repository for the latest security patch. As an interim mitigation while awaiting a patch, restrict access to the wp-admin area and plugin configuration pages to trusted IP addresses using a Web Application Firewall (WAF) or server-level access controls, disable the WP Configurator Pro plugin if it is not actively in use, and audit recent configuration changes and user access logs for signs of unauthorized modifications. Additionally, implement capability-based access restrictions at the WordPress level to limit which user roles can interact with configuration functions.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15851
GHSA-943g-5x48-w59q