Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.
AnalysisAI
Broken access control in AA Web Servant 12 Step Meeting List plugin version 3.19.9 and earlier allows authenticated users to view sensitive information by exploiting misconfigured access control security levels. An attacker with low-level privileges can enumerate or access data they should not be permitted to view, exposing confidential meeting or user information. The vulnerability has an EPSS score of 0.02% (4th percentile), indicating low real-world exploitation probability despite the moderate CVSS score of 6.5.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization), a common flaw in access control logic where application security checks fail to properly validate user permissions before granting access to protected resources. In the 12 Step Meeting List plugin (CPE: cpe:2.3:a:aa_web_servant:12_step_meeting_list:*:*:*:*:*:*:*:*), access control security levels are incorrectly configured, permitting users with limited authentication status (PR:L per CVSS vector) to retrieve or view confidential data. This typically occurs when authorization checks are missing from API endpoints, data retrieval functions, or administrative interfaces, allowing privilege escalation through horizontal access control bypass rather than vertical elevation.
RemediationAI
Upgrade the 12 Step Meeting List plugin to a patched version greater than 3.19.9 immediately upon availability. Consult the Patchstack database (https://patchstack.com/database/Wordpress/Plugin/12-step-meeting-list/vulnerability/wordpress-12-step-meeting-list-plugin-3-19-9-broken-access-control-vulnerability?_s_id=cve) and NVD advisory (https://nvd.nist.gov/vuln/detail/CVE-2026-39569) for the specific patched release version. Until a patch is released, restrict user account creation and lower-privilege role assignments to minimize the attack surface, audit access control logs for unauthorized data access, and consider temporarily disabling the plugin if meeting information is not mission-critical. Implement WordPress security plugins that monitor unauthorized access attempts to sensitive endpoints.
More in 12 Step Meeting List
View allMissing Authorization vulnerability in Code for Recovery 12 Step Meeting List.14.28. Rated high severity (CVSS 8.8), thi
The AA Web Servant 12 Step Meeting List WordPress plugin through version 3.19.9 exposes sensitive information in sent da
Server-Side Request Forgery (SSRF) vulnerability in Code for Recovery 12 Step Meeting List.14.24. Rated medium severity
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20215
GHSA-mrpg-59p9-vgrh