Skip to main content

Mailercloud 8211 Integrate Webforms And Synchronize Website Contacts CVE-2026-39713

| EUVDEUVD-2026-20424 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-295f-cjg2-fv68
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:44 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20424
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in mailercloud Mailercloud &#8211; Integrate webforms and synchronize website contacts mailercloud-integrate-webforms-synchronize-contacts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mailercloud &#8211; Integrate webforms and synchronize website contacts: from n/a through <= 1.0.7.

AnalysisAI

Mailercloud - Integrate Webforms and Synchronize Website Contacts plugin versions up to 1.0.7 for WordPress suffers from missing authorization checks that allow unauthenticated remote attackers to modify data via incorrectly configured access control. The vulnerability (CWE-862) permits unauthorized modification of plugin functionality without proper privilege validation, affecting any WordPress installation running the vulnerable plugin version. Although EPSS probability is low (0.02%) and no active exploitation is confirmed, the remote unauthenticated attack vector and impact on data integrity warrant timely patching.

Technical ContextAI

This is a missing authorization vulnerability (CWE-862: Missing Authorization) in a WordPress plugin that handles web form integration and contact synchronization. WordPress plugins extend core functionality through hooks, filters, and REST API endpoints; this plugin fails to implement proper capability checks (wp_verify_nonce, current_user_can()) on one or more endpoints or actions that modify data. The vulnerable code likely accepts unauthenticated requests to perform operations that should require authenticated administrator or contributor privileges. The CVE affects Mailercloud - Integrate Webforms and Synchronize Website Contacts (CPE identifier: cpe:2.3:a:mailercloud:mailercloud_&#8211;_integrate_webforms_and_synchronize_website_contacts) across all versions from initial release through version 1.0.7.

RemediationAI

Update Mailercloud - Integrate Webforms and Synchronize Website Contacts plugin to version 1.0.8 or later immediately. Access the WordPress plugin dashboard, navigate to Plugins, and manually update the plugin or enable automatic updates. No workarounds mitigate the authorization bypass. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/mailercloud-integrate-webforms-synchronize-contacts/vulnerability/) for confirmation of patched version availability. After updating, verify the plugin functionality is intact and review recent access logs for unauthorized data modifications.

Share

CVE-2026-39713 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy