Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in MWP Development Diet Calorie Calculator diet-calorie-calculator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Diet Calorie Calculator: from n/a through <= 1.1.1.
AnalysisAI
Missing authorization in MWP Development Diet Calorie Calculator plugin through version 1.1.1 allows unauthenticated remote attackers to gain unauthorized read access to sensitive data via improperly configured access control. The vulnerability affects all versions from inception through 1.1.1, with a network attack vector and minimal complexity. Although the CVSS base score is 5.3 (moderate), real-world risk is substantially lower: EPSS exploitation probability is only 0.02% (fourth percentile), no public exploit code or active exploitation has been identified, and the vulnerability is limited to information disclosure without integrity or availability impact.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control defect in web application security. This class of flaw occurs when an application fails to verify that a user has the necessary permissions before granting access to restricted functionality or data. In the context of the Diet Calorie Calculator WordPress plugin (CPE: cpe:2.3:a:mwp_development:diet_calorie_calculator:*:*:*:*:*:*:*:*), the incorrectly configured access control security levels permit unauthenticated network-based requests to retrieve information that should be protected. Unlike authentication bypass vulnerabilities that spoof identity, this represents a failure in authorization logic-the plugin lacks proper privilege checks regardless of whether a user is authenticated.
RemediationAI
Upgrade the Diet Calorie Calculator plugin to a version after 1.1.1 once the vendor releases a patched release addressing the missing authorization flaw. Users should verify patch availability on the WordPress plugin repository or contact MWP Development directly. In the interim, site administrators can mitigate risk by restricting plugin functionality to authenticated users only via server-side access controls (e.g., WordPress role-based access restrictions) or by disabling the plugin until a patch is available. Refer to the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/diet-calorie-calculator/vulnerability/wordpress-diet-calorie-calculator-plugin-1-1-1-broken-access-control-vulnerability) and the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-39680) for vendor patch status confirmation.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20364
GHSA-36c7-mfh8-886h