Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Obadiah Super Custom Login super-custom-login allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Custom Login: from n/a through <= 1.1.
AnalysisAI
Missing authorization in Obadiah Super Custom Login WordPress plugin versions 1.1 and earlier allows unauthenticated remote attackers to bypass access controls and gain limited information disclosure. The vulnerability stems from incorrectly configured access control security levels that fail to enforce proper authorization checks, enabling attackers to exploit weak authentication mechanisms without requiring valid credentials or user interaction.
Technical ContextAI
The vulnerability is classified as CWE-862 (Missing Authorization), which occurs when access control mechanisms fail to properly restrict resource access based on user privileges. In the context of the Super Custom Login WordPress plugin (CPE: cpe:2.3:a:obadiah:super_custom_login:*:*:*:*:*:*:*:*), the plugin's authentication and login customization functionality lacks sufficient authorization validation. This allows the access control security levels to be exploited, permitting unauthorized users to circumvent intended restrictions. The vulnerability affects the core authentication bypass mechanisms that should validate user permissions before granting access to protected resources or sensitive information.
RemediationAI
Upgrade Obadiah Super Custom Login to a version greater than 1.1 if available from the vendor. Immediate patch availability for specific fixed versions is not confirmed in the provided data; however, users should check the plugin's official WordPress.org repository or the vendor's advisory at https://patchstack.com/database/Wordpress/Plugin/super-custom-login for the latest patched release. As an interim mitigation, consider restricting access to login customization features through web server configuration or temporarily disabling the plugin until an update is available. Additional guidance may be available via the NIST NVD record at https://nvd.nist.gov/vuln/detail/CVE-2026-39605.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20236
GHSA-3gmf-wjhx-fmw7