Skip to main content

WP Document Revisions CVE-2026-42677

| EUVDEUVD-2026-33686 HIGH
Missing Authorization (CWE-862)
2026-06-01 Patchstack GHSA-q4v3-vrvm-j488
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 01, 2026 - 18:01 EUVD
Analysis Generated
Jun 01, 2026 - 17:16 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Ben Balter WP Document Revisions allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects WP Document Revisions: from n/a before 4.0.0.

AnalysisAI

Information disclosure in WP Document Revisions WordPress plugin versions before 4.0.0 allows unauthenticated remote attackers to access protected documents due to broken access control checks. The CVSS vector (AV:N/AC:L/PR:N/UI:N/C:H/I:N/A:N) indicates trivially exploitable confidentiality-only impact, and no public exploit identified at time of analysis, though Patchstack has cataloged the issue with a working proof reference.

Technical ContextAI

WP Document Revisions is a WordPress plugin by Ben Balter providing document management, versioning, and workflow capabilities for sites that need to track revisions of files (often used in government, legal, and enterprise contexts). The vulnerability falls under CWE-862 (Missing Authorization), meaning the plugin's request handlers fail to verify that the requesting user possesses the required capability or role before returning protected resources. Per the CPE entry cpe:2.3:a:ben_balter:wp_document_revisions:*, all versions of the plugin prior to 4.0.0 are affected by the incorrectly configured access control level on document-serving endpoints.

RemediationAI

Vendor-released patch: upgrade WP Document Revisions to version 4.0.0 or later via the WordPress plugin updater or by replacing the plugin files manually. Site operators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-document-revisions/vulnerability/wordpress-wp-document-revisions-plugin-3-8-1-broken-access-control-vulnerability for additional detail. If immediate upgrade is not possible, compensating controls include restricting access to the plugin's document-serving URL patterns (typically /documents/ and the wp-content/uploads document paths) at the web server or WAF layer to authenticated sessions only - note this will break legitimate public document access if any documents are intended to be public - or temporarily deactivating the plugin if document availability is not business-critical. Audit web server access logs for unauthorized requests to document endpoints prior to patching to determine whether exposure occurred.

Share

CVE-2026-42677 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy