Skip to main content

Diet Calorie Calculator CVE-2026-39680

| EUVDEUVD-2026-20364 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-36c7-mfh8-886h
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20364
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in MWP Development Diet Calorie Calculator diet-calorie-calculator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Diet Calorie Calculator: from n/a through <= 1.1.1.

AnalysisAI

Missing authorization in MWP Development Diet Calorie Calculator plugin through version 1.1.1 allows unauthenticated remote attackers to gain unauthorized read access to sensitive data via improperly configured access control. The vulnerability affects all versions from inception through 1.1.1, with a network attack vector and minimal complexity. Although the CVSS base score is 5.3 (moderate), real-world risk is substantially lower: EPSS exploitation probability is only 0.02% (fourth percentile), no public exploit code or active exploitation has been identified, and the vulnerability is limited to information disclosure without integrity or availability impact.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control defect in web application security. This class of flaw occurs when an application fails to verify that a user has the necessary permissions before granting access to restricted functionality or data. In the context of the Diet Calorie Calculator WordPress plugin (CPE: cpe:2.3:a:mwp_development:diet_calorie_calculator:*:*:*:*:*:*:*:*), the incorrectly configured access control security levels permit unauthenticated network-based requests to retrieve information that should be protected. Unlike authentication bypass vulnerabilities that spoof identity, this represents a failure in authorization logic-the plugin lacks proper privilege checks regardless of whether a user is authenticated.

RemediationAI

Upgrade the Diet Calorie Calculator plugin to a version after 1.1.1 once the vendor releases a patched release addressing the missing authorization flaw. Users should verify patch availability on the WordPress plugin repository or contact MWP Development directly. In the interim, site administrators can mitigate risk by restricting plugin functionality to authenticated users only via server-side access controls (e.g., WordPress role-based access restrictions) or by disabling the plugin until a patch is available. Refer to the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/diet-calorie-calculator/vulnerability/wordpress-diet-calorie-calculator-plugin-1-1-1-broken-access-control-vulnerability) and the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-39680) for vendor patch status confirmation.

Share

CVE-2026-39680 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy