Skip to main content

Cartflows CVE-2026-39477

| EUVDEUVD-2026-20144 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-8f6m-3c4p-c477
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:40 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
4.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20144
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Brainstorm Force CartFlows cartflows allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CartFlows: from n/a through <= 2.2.3.

AnalysisAI

Missing authorization in Brainstorm Force CartFlows WordPress plugin versions up to 2.2.3 allows authenticated attackers to modify data through incorrectly configured access control, enabling unauthorized changes to plugin settings or resources. CVSS 4.3 (low severity) with EPSS 0.02% indicates limited real-world exploitation probability; the vulnerability requires prior authentication and does not enable code execution or confidentiality breaches.

Technical ContextAI

CartFlows is a WordPress e-commerce funnel builder plugin developed by Brainstorm Force, distributed via the WordPress plugin marketplace and identified by CPE cpe:2.3:a:brainstorm_force:cartflows:*:*:*:*:*:*:*:*. The vulnerability stems from CWE-862 (Missing Authorization), a classic access control flaw where the application fails to enforce proper permission checks before allowing authenticated users to perform sensitive operations. In WordPress plugins, this typically manifests as missing nonce verification, inadequate capability checks (e.g., using 'manage_options' when role-based restrictions are required), or direct database modifications without proper ACL enforcement. CartFlows' improper access control allows authenticated users with lower privileges to access or modify resources intended for higher-privilege roles, compromising the plugin's security posture within WordPress's multi-role ecosystem.

RemediationAI

Update CartFlows to a patched version newer than 2.2.3 as released by Brainstorm Force. Users should navigate to WordPress Dashboard → Plugins → Installed Plugins and check for available updates, or manually download the latest CartFlows release from https://patchstack.com/database/Wordpress/Plugin/cartflows/. Additionally, audit WordPress user roles and capabilities to ensure non-administrator users do not have unnecessary access to CartFlows settings; restrict the 'manage_cartflows' capability (or equivalent) to administrators only via WordPress capability checks. Consult the Brainstorm Force security advisory and NIST CVE entry (https://nvd.nist.gov/vuln/detail/CVE-2026-39477) for patch version details and deployment guidance.

Share

CVE-2026-39477 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy