Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Unauthenticated network endpoint with no user interaction (AV:N/AC:L/PR:N/UI:N); missing authorization yields partial, scoped read/modify impact, so C/I/A are Low and scope Unchanged.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Newsletters <= 4.13 versions.
AnalysisAI
Missing authorization in the Newsletters (newsletters-lite) WordPress plugin through version 4.13 lets unauthenticated remote attackers reach functionality that should be access-controlled, producing limited confidentiality, integrity, and availability impact (CVSS 7.3). Reported by Patchstack and tagged as an authentication bypass, the flaw requires no credentials or user interaction, though no public exploit code or CISA KEV listing exists at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of the Newsletters (newsletters-lite) WordPress plugin at version 4.13 or earlier, as reflected by AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are partly aligned and partly incomplete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scanning for WordPress sites running Newsletters <= 4.13 sends a crafted unauthenticated HTTP request directly to the plugin's unprotected endpoint, invoking a function that should require an authenticated, privileged user. Because no authorization check is enforced, the request succeeds and the attacker reads or modifies newsletter-related data or triggers a restricted action. … |
| Remediation | No vendor-released patch version is identified in the available data; because the advisory designates 4.13 and earlier as vulnerable, a fixed release is expected to be the next version above 4.13, but that version is not confirmed in this input - confirm and apply the patched build via the WordPress plugin updater after checking the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-13-broken-access-control-vulnerability?_s_id=cve). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: audit all WordPress instances to identify which use the Newsletters plugin and document affected versions (4.13 and earlier). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39682
GHSA-7hhw-r4mw-8jm8