Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network-accessible WordPress plugin requiring Contributor-level authentication (PR:L); missing authorization permits limited integrity modifications only, with no confidentiality or availability impact.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Contributor Broken Access Control in Nelio Content <= 4.3.4 versions.
AnalysisAI
Broken access control in the Nelio Content WordPress plugin (versions 4.3.4 and earlier) allows authenticated users holding only the Contributor role to bypass intended authorization restrictions and perform actions reserved for higher-privileged roles. The root cause is missing authorization checks (CWE-862) on one or more plugin endpoints, enabling unauthorized integrity-affecting operations on content managed by the plugin. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress user account with at minimum the Contributor role on the target site - fully unauthenticated exploitation is not possible per the CVSS vector (PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N correctly characterizes this as a low-complexity network attack requiring authenticated low-privilege access with limited integrity impact and no confidentiality or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a Contributor-level account on a WordPress site running Nelio Content <= 4.3.4, then crafts authenticated HTTP requests to the plugin's insufficiently protected endpoints, invoking actions - such as modifying editorial schedules, content metadata, or social publishing settings - normally restricted to Editors or Administrators. Because attack complexity is low and no user interaction is required, exploitation is straightforward once the specific vulnerable endpoint is identified, though no public exploit code is currently known to exist. |
| Remediation | Update Nelio Content to a version beyond 4.3.4 as soon as the vendor releases a patched build - no specific fixed version number is confirmed in the available source data, so administrators should monitor the Patchstack advisory and the WordPress plugin repository for an update. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39763
GHSA-65vc-5v9h-jmcw