Skip to main content

Newsletters CVE-2026-54840

| EUVDEUVD-2026-39682 HIGH
Missing Authorization (CWE-862)
2026-06-26 audit@patchstack.com GHSA-7hhw-r4mw-8jm8
7.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
7.3 HIGH

Unauthenticated network endpoint with no user interaction (AV:N/AC:L/PR:N/UI:N); missing authorization yields partial, scoped read/modify impact, so C/I/A are Low and scope Unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:37 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Newsletters <= 4.13 versions.

AnalysisAI

Missing authorization in the Newsletters (newsletters-lite) WordPress plugin through version 4.13 lets unauthenticated remote attackers reach functionality that should be access-controlled, producing limited confidentiality, integrity, and availability impact (CVSS 7.3). Reported by Patchstack and tagged as an authentication bypass, the flaw requires no credentials or user interaction, though no public exploit code or CISA KEV listing exists at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Newsletters <= 4.13
Delivery
Send unauthenticated request to unprotected plugin endpoint
Exploit
Bypass missing authorization check
Execution
Invoke restricted newsletter functionality
Impact
Read or alter scoped data

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of the Newsletters (newsletters-lite) WordPress plugin at version 4.13 or earlier, as reflected by AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are partly aligned and partly incomplete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scanning for WordPress sites running Newsletters <= 4.13 sends a crafted unauthenticated HTTP request directly to the plugin's unprotected endpoint, invoking a function that should require an authenticated, privileged user. Because no authorization check is enforced, the request succeeds and the attacker reads or modifies newsletter-related data or triggers a restricted action. …
Remediation No vendor-released patch version is identified in the available data; because the advisory designates 4.13 and earlier as vulnerable, a fixed release is expected to be the next version above 4.13, but that version is not confirmed in this input - confirm and apply the patched build via the WordPress plugin updater after checking the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-13-broken-access-control-vulnerability?_s_id=cve). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit all WordPress instances to identify which use the Newsletters plugin and document affected versions (4.13 and earlier). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54840 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy