Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Unauthenticated network exploitation with no complexity; scope change reflects cross-privilege data read; no integrity or availability impact applies.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Flash & HTML5 Video <= 2.11.0 versions.
AnalysisAI
Unauthenticated broken access control in the Flash & HTML5 Video WordPress plugin (versions <= 2.11.0) allows remote unauthenticated attackers to bypass authorization checks and access restricted resources, crossing a privilege boundary (CVSS Scope Changed) with limited confidentiality impact. Reported by Patchstack and catalogued under EUVD-2026-39735, this is a CWE-862 (Missing Authorization) flaw requiring no credentials, no user interaction, and no special complexity to exploit. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Flash & HTML5 Video plugin must be installed and active on a WordPress site running a version at or below 2.11.0. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 5.8 (Medium) is consistent with the vector: network-accessible, no authentication, no interaction, but impact limited to partial confidentiality with scope change and no integrity or availability loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress site running Flash & HTML5 Video <= 2.11.0 (discoverable via plugin fingerprinting or WPScan) and sends a crafted HTTP request directly to the plugin's unprotected endpoint, omitting or forging authorization context. The missing capability check allows the request to succeed, returning restricted data such as private post content or plugin configuration - with no credentials, no interaction, and no exploit tooling required beyond a basic HTTP client. … |
| Remediation | Update the Flash & HTML5 Video plugin to a version above 2.11.0 as soon as one is available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39735
GHSA-3m22-fr69-7ch4