Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Netro Systems Make My Trivia trivialy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Make My Trivia: from n/a through <= 1.1.0.
AnalysisAI
Netro Systems Make My Trivia plugin through version 1.1.0 fails to properly enforce access controls, allowing unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured security levels. This missing authorization vulnerability (CWE-862) has a CVSS base score of 5.3 with low real-world exploitation risk (EPSS 0.02%, CISA SSVC exploitation status 'none') despite being automatable, suggesting the flaw requires specific misconfiguration to be exploitable in practice.
Technical ContextAI
The vulnerability stems from broken access control in a WordPress plugin, affecting the Netro Systems Make My Trivia plugin (CPE: cpe:2.3:a:netro_systems:make_my_trivia:*:*:*:*:*:*:*:*). CWE-862 (Missing Authorization) indicates the application fails to validate whether a user is authorized to access specific resources or functions. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) shows the attack is network-exploitable without authentication, credentials, or user interaction, but with low complexity - however, the description specifies 'Incorrectly Configured Access Control Security Levels,' implying the vulnerability manifests under non-default or misconfigured deployments rather than in stock installations. The plugin runs within WordPress's permission model, where proper integration with WordPress role-based access controls (admin, editor, author, contributor, subscriber) is critical.
RemediationAI
Update Netro Systems Make My Trivia plugin to a patched version above 1.1.0 immediately. Review and correct access control configurations in WordPress settings and plugin options to ensure only intended user roles can access trivia content and administrative functions. Verify WordPress role assignments and verify that the plugin correctly respects the PR:N (unauthenticated) and C:L (confidentiality) scope of the flaw by auditing user role permissions in WordPress admin panel (Users > Roles and Capabilities). Consult the Patchstack advisory and NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-39706) for plugin-specific configuration guidance from the vendor.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20412
GHSA-q67g-jvcc-rpxx