Mailercloud 8211 Integrate Webforms And Synchronize Website Contacts
CVE-2026-39713
|
EUVD-2026-20424
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in mailercloud Mailercloud – Integrate webforms and synchronize website contacts mailercloud-integrate-webforms-synchronize-contacts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mailercloud – Integrate webforms and synchronize website contacts: from n/a through <= 1.0.7.
AnalysisAI
Mailercloud - Integrate Webforms and Synchronize Website Contacts plugin versions up to 1.0.7 for WordPress suffers from missing authorization checks that allow unauthenticated remote attackers to modify data via incorrectly configured access control. The vulnerability (CWE-862) permits unauthorized modification of plugin functionality without proper privilege validation, affecting any WordPress installation running the vulnerable plugin version. Although EPSS probability is low (0.02%) and no active exploitation is confirmed, the remote unauthenticated attack vector and impact on data integrity warrant timely patching.
Technical ContextAI
This is a missing authorization vulnerability (CWE-862: Missing Authorization) in a WordPress plugin that handles web form integration and contact synchronization. WordPress plugins extend core functionality through hooks, filters, and REST API endpoints; this plugin fails to implement proper capability checks (wp_verify_nonce, current_user_can()) on one or more endpoints or actions that modify data. The vulnerable code likely accepts unauthenticated requests to perform operations that should require authenticated administrator or contributor privileges. The CVE affects Mailercloud - Integrate Webforms and Synchronize Website Contacts (CPE identifier: cpe:2.3:a:mailercloud:mailercloud_–_integrate_webforms_and_synchronize_website_contacts) across all versions from initial release through version 1.0.7.
RemediationAI
Update Mailercloud - Integrate Webforms and Synchronize Website Contacts plugin to version 1.0.8 or later immediately. Access the WordPress plugin dashboard, navigate to Plugins, and manually update the plugin or enable automatic updates. No workarounds mitigate the authorization bypass. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/mailercloud-integrate-webforms-synchronize-contacts/vulnerability/) for confirmation of patched version availability. After updating, verify the plugin functionality is intact and review recent access logs for unauthorized data modifications.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-295f-cjg2-fv68