Skip to main content

The Moneytizer CVE-2026-39685

| EUVDEUVD-2026-20373 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-3mhr-hwm3-pcr6
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:43 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20373
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in lvaudore The Moneytizer the-moneytizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Moneytizer: from n/a through <= 10.0.10.

AnalysisAI

Missing authorization in The Moneytizer WordPress plugin through version 10.0.10 allows unauthenticated remote attackers to modify content via incorrectly configured access control, enabling unauthorized data integrity changes without requiring authentication or user interaction. While CVSS scores 5.3 (medium) and EPSS exploitation probability is minimal at 0.02%, the lack of authentication requirements and network accessibility make this a persistent authorization bypass affecting all installations of vulnerable versions.

Technical ContextAI

The Moneytizer WordPress plugin implements access control mechanisms that fail to properly validate user permissions before allowing state-changing operations. This is a CWE-862 (Missing Authorization) vulnerability where the application checks whether an action is allowed but fails to verify that the user performing the action has sufficient privileges. The vulnerability resides in the plugin's backend request handlers, which process user input without proper role-based access control (RBAC) enforcement. WordPress plugins typically extend wp-admin functionality; this vulnerability suggests certain administrative or data-modification endpoints lack capability checks (e.g., missing current_user_can() validation in action handlers). The affected CPE (cpe:2.3:a:lvaudore:the_moneytizer:*:*:*:*:*:*:*:*) indicates all versions up to 10.0.10 are vulnerable.

RemediationAI

Upgrade The Moneytizer WordPress plugin to a patched version beyond 10.0.10. Vendors typically release patched versions shortly after vulnerability disclosure; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/the-moneytizer/vulnerability/wordpress-the-moneytizer-plugin-10-0-10-broken-access-control-vulnerability) for the exact fixed version number. If automatic updates are enabled in WordPress, the patch will install automatically. Site administrators should verify the plugin version in WordPress admin dashboard (Plugins > Installed Plugins > The Moneytizer) and manually update via Plugins > Available Updates if needed. As a temporary mitigation, restrict admin access via WordPress user roles (only trusted administrators should have plugin management capabilities), though this does not eliminate the vulnerability itself.

Share

CVE-2026-39685 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy