Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in redpixelstudios RPS Include Content rps-include-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RPS Include Content: from n/a through <= 1.2.2.
AnalysisAI
RPS Include Content WordPress plugin through version 1.2.2 fails to properly enforce access control, allowing authenticated users to modify content they should not have permission to alter. The vulnerability stems from missing authorization checks that validate user permissions before allowing content modifications, affecting all installations of the plugin up to and including version 1.2.2. While the CVSS score of 6.5 reflects moderate severity, the low EPSS score (0.02% percentile 4%) suggests limited real-world exploitation probability, likely due to the requirement for authenticated access and the plugin's relatively narrow user base.
Technical ContextAI
RPS Include Content is a WordPress plugin that provides functionality for including content across pages and posts. The vulnerability is classified as CWE-862 (Missing Authorization), which occurs when the application performs an action or grants access based on user input without properly verifying that the user is authorized to perform that action. In this case, the plugin fails to implement proper authorization checks on its content modification endpoints, relying on authentication alone without validating the user's specific permissions to modify the targeted content. The affected product is identified via CPE cpe:2.3:a:redpixelstudios:rps_include_content:*:*:*:*:*:*:*:*, indicating all versions through 1.2.2 are vulnerable regardless of WordPress environment or hosting configuration.
RemediationAI
Update RPS Include Content to a patched version above 1.2.2 immediately. WordPress site administrators should navigate to the Plugins section of their WordPress dashboard, locate RPS Include Content, and click Update if available. If no update is available in the dashboard, visit the plugin's official repository or redpixelstudios' website to obtain the latest patched version. As a temporary workaround pending patch availability, restrict plugin access to trusted administrator-level users only by limiting user role assignments and disabling the plugin for non-administrative users if functionality permits. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/rps-include-content/vulnerability/wordpress-rps-include-content-plugin-1-2-2-broken-access-control-vulnerability?_s_id=cve) for patch version specifics and additional guidance from the plugin developer.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20298
GHSA-8mj5-q5fc-rjx2