Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Missing authorization on a network-reachable WordPress endpoint needs no auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is data modification only, so I:H with C:N/A:N.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Gutenverse Companion <= 2.5.0 versions.
AnalysisAI
Unauthorized data modification in the Gutenverse Companion WordPress plugin (versions 2.5.0 and earlier) lets remote unauthenticated attackers invoke protected functionality due to a missing authorization check. The CVSS 3.1 vector (AV:N/PR:N/UI:N, I:H, C:N, A:N) indicates a network-reachable, no-login integrity compromise rather than data theft or outage. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that a vulnerable installation of Gutenverse Companion (version 2.5.0 or earlier) be installed, active, and network-reachable on a WordPress site; per the CVSS vector AV:N/AC:L/PR:N/UI:N there is no special configuration, authentication, or user interaction needed to reach the unguarded endpoint, so this is effectively unauthenticated exploitation against default deployments running the plugin. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are partially aligned and partially incomplete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans WordPress sites for the Gutenverse Companion plugin and sends a crafted unauthenticated HTTP request to the plugin's exposed action, invoking a privileged operation that should require a logged-in authorized user. Because the authorization check is missing, the request succeeds and modifies site state without any credentials or user interaction. … |
| Remediation | No vendor-released patch version is identified in the available data, so confirm the fixed release directly from the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/gutenverse-companion/vulnerability/wordpress-gutenverse-companion-plugin-2-5-0-broken-access-control-vulnerability?_s_id=cve) and upgrade to the first version published above 2.5.0 once available; do not assume a specific number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all WordPress installations running Gutenverse Companion versions 2.5.0 or earlier; disable and remove the plugin; audit content modification logs for unauthorized changes. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39676
GHSA-5fm5-5j35-734h