Skip to main content

Nm Gift Registry And Wishlist Lite CVE-2026-39588

| EUVDEUVD-2026-20229 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-3xmw-f5q8-mw2q
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:41 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20229
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in nmerii NM Gift Registry and Wishlist Lite nm-gift-registry-and-wishlist-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NM Gift Registry and Wishlist Lite: from n/a through <= 5.13.

AnalysisAI

NM Gift Registry and Wishlist Lite WordPress plugin versions up to 5.13 allows unauthenticated remote attackers to modify data through missing authorization checks on access control settings. The vulnerability stems from incorrectly configured authorization levels that fail to validate user permissions before processing requests, enabling attackers to bypass authentication mechanisms and alter registry or wishlist information without proper credentials. EPSS score of 0.02% indicates minimal real-world exploitation probability despite the low attack complexity.

Technical ContextAI

The vulnerability resides in a WordPress plugin architecture where access control decisions are implemented at the application level. CWE-862 (Missing Authorization) indicates the plugin fails to verify that an authenticated session or valid credentials exist before permitting sensitive operations. The affected plugin uses the standard WordPress permission model (capabilities system), but implementation flaws allow the authorization checks to be bypassed entirely. The AV:N/AC:L profile indicates the flaw is reachable over the network without requiring complex manipulation of the target system. The plugin processes requests that modify registry or wishlist data without proper nonce validation or capability checks, allowing any network-accessible client to submit requests that alter protected resources.

RemediationAI

Update NM Gift Registry and Wishlist Lite to a version newer than 5.13 when the vendor releases a patched version. Users should verify the plugin's official page on WordPress.org or the vendor's advisory for the specific patched version number. As an interim mitigation, restrict direct HTTP access to the plugin's request handlers using web application firewall (WAF) rules or WordPress security plugins that enforce capability checks before processing modify operations. Implement WordPress user role auditing to ensure only trusted administrators have access to gift registry configuration. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/nm-gift-registry-and-wishlist-lite/vulnerability/wordpress-nm-gift-registry-and-wishlist-lite-plugin-5-13-broken-access-control-vulnerability) for timeline confirmation and alternative mitigation strategies.

Share

CVE-2026-39588 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy