Skip to main content

Mipl Wc Multisite Sync CVE-2026-39705

| EUVDEUVD-2026-20411 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-fpj7-fjcx-j6w2
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:44 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20411
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Mulika Team MIPL WC Multisite Sync mipl-wc-multisite-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MIPL WC Multisite Sync: from n/a through <= 1.4.4.

AnalysisAI

Missing authorization in Mulika Team MIPL WC Multisite Sync WordPress plugin versions 1.4.4 and earlier allows unauthenticated remote attackers to modify plugin data through incorrectly configured access control mechanisms. The vulnerability affects all versions from initial release through 1.4.4, with an EPSS score of 0.02% indicating minimal real-world exploitation likelihood despite the moderate CVSS score of 5.3. No active exploitation or public proof-of-concept has been identified at time of analysis.

Technical ContextAI

MIPL WC Multisite Sync is a WordPress plugin designed to synchronize WooCommerce product and order data across multisite WordPress installations. The vulnerability stems from a missing authorization check (CWE-862) in the plugin's access control implementation, allowing an unauthenticated attacker to bypass security levels that should restrict data modification to authorized administrators or specific roles. The plugin's REST API endpoints or AJAX handlers likely lack proper nonce verification and capability checks, permitting unauthorized state modification operations on synchronized WooCommerce data across connected sites. As a WordPress plugin, exploitation occurs within the WordPress application context, requiring access to the vulnerable plugin's endpoints.

RemediationAI

Update MIPL WC Multisite Sync to a patched version newer than 1.4.4 via the WordPress plugin dashboard or by downloading the latest release from the plugin repository. If a specific patched version number is unavailable from the vendor, verify the plugin version has been updated to a post-1.4.4 release before re-enabling the plugin. As an interim mitigation, restrict WordPress REST API access to authenticated users or disable the plugin entirely if multisite synchronization is not actively required. Refer to the Patchstack vulnerability database and NIST NVD advisory for the most current patch information and plugin release notes.

Share

CVE-2026-39705 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy