Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wp Ultimate Review: from n/a through <= 2.3.8.
AnalysisAI
Missing authorization in Roxnor Wp Ultimate Review plugin versions up to 2.3.8 allows unauthenticated remote attackers to access restricted functionality through incorrectly configured access control security levels, resulting in limited information disclosure. The vulnerability carries a low EPSS exploitation probability (0.02%, 4th percentile) and has not been confirmed as actively exploited, though the simple attack vector (network-accessible, no complexity, no authentication required) means opportunistic exploitation is feasible.
Technical ContextAI
This is a classic broken access control vulnerability (CWE-862) in a WordPress plugin. The plugin fails to properly validate user permissions before exposing sensitive operations or data endpoints. Roxnor Wp Ultimate Review is a WordPress plugin (CPE: cpe:2.3:a:roxnor:wp_ultimate_review:*:*:*:*:*:*:*:*) that appears to implement review functionality; the missing authorization controls allow bypass of intended security restrictions on access levels, enabling unauthenticated users to read protected content or perform unintended actions. WordPress plugins execute in the context of the WordPress application, and improper authorization checks-especially when absent entirely-are a common vulnerability class in the WordPress ecosystem.
RemediationAI
Update Roxnor Wp Ultimate Review to a version later than 2.3.8; the exact patched version number is not specified in available data, so administrators should check the plugin's official repository or the Patchstack advisory for the recommended upgrade target. Immediately apply the patch through the WordPress plugin management interface or by manual update. Until patching is complete, review and restrict access to the plugin's endpoints through WordPress user role management and, if possible, Web Application Firewall (WAF) rules to block unauthenticated access to sensitive plugin functions. Verify that access control checks are properly enforced post-patch.
More in Wp Ultimate Review
View allCross-Site Request Forgery (CSRF) vulnerability in Wpmet Wp Ultimate Review plugin <= 2.0.3 versions. Rated high severit
Cross-Site Request Forgery (CSRF) vulnerability in Wpmet Wp Ultimate Review plugin <= 2.2.4 versions. Rated high severit
Authorization Bypass Through User-Controlled Key vulnerability in Wpmet Wp Ultimate Review.2.5. Rated medium severity (C
Missing Authorization vulnerability in Wpmet Wp Ultimate Review.2.5. Rated medium severity (CVSS 5.3), this vulnerabilit
Client-Side Enforcement of Server-Side Security vulnerability in Wpmet Wp Ultimate Review allows Functionality Bypass.2.
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20303
GHSA-grgr-vjmq-55cc