Skip to main content

Mayosis Core CVE-2026-39655

| EUVDEUVD-2026-31801 MEDIUM
Missing Authorization (CWE-862)
2026-05-26 Patchstack GHSA-hpcp-j63f-vvmq
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 12:05 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in TeconceTheme Mayosis Core allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Mayosis Core: from n/a through 5.4.7.

AnalysisAI

Missing authorization in the Mayosis Core WordPress plugin (versions through 5.4.7) by TeconceTheme allows unauthenticated remote attackers to exploit incorrectly configured access control security levels, resulting in unauthorized modification of data (integrity impact). The CVSS vector confirms no authentication or user interaction is required, and the vulnerability is network-exploitable against default configurations. No public exploit code exists and no active exploitation has been confirmed at time of analysis.

Technical ContextAI

Mayosis Core is a WordPress plugin developed by TeconceTheme, identified by CPE cpe:2.3:a:teconcetheme:mayosis_core:*:*:*:*:*:*:*:*. The root cause is CWE-862 (Missing Authorization): the plugin performs privileged or restricted operations without properly verifying that the requesting user holds the necessary authorization level. This class of vulnerability typically arises when WordPress REST API endpoints, AJAX handlers, or admin-facing callbacks are registered without nonce verification, capability checks (e.g., current_user_can()), or equivalent access control enforcement, allowing any caller - authenticated or not - to trigger functionality that should be restricted. The tag 'Authentication Bypass' further confirms that authorization gates are either absent or bypassable at the access control layer.

RemediationAI

Update Mayosis Core to a version above 5.4.7 as soon as a patched release is confirmed available via the WordPress plugin repository or the TeconceTheme vendor channel. The Patchstack advisory (https://patchstack.com/database/wordpress/plugin/mayosis-core/vulnerability/wordpress-mayosis-core-plugin-5-4-7-broken-access-control-vulnerability) should be monitored for patch version confirmation, as no exact fixed version number was present in the available data at time of analysis. If an immediate update is not possible, a compensating control is to temporarily deactivate the Mayosis Core plugin to eliminate the attack surface entirely - note this will disable associated theme functionality. As a secondary workaround, a WordPress web application firewall (e.g., Patchstack, Wordfence) with virtual patching rules for this CVE can block exploitation attempts without requiring plugin deactivation. No patch version has been independently confirmed from available data; do not assume versions above 5.4.7 are safe without vendor confirmation.

Share

CVE-2026-39655 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy