Skip to main content

Nelio Content CVE-2026-57648

| EUVDEUVD-2026-39763 MEDIUM
Missing Authorization (CWE-862)
2026-06-26 audit@patchstack.com GHSA-65vc-5v9h-jmcw
4.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible WordPress plugin requiring Contributor-level authentication (PR:L); missing authorization permits limited integrity modifications only, with no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:11 vuln.today

DescriptionCVE.org

Contributor Broken Access Control in Nelio Content <= 4.3.4 versions.

AnalysisAI

Broken access control in the Nelio Content WordPress plugin (versions 4.3.4 and earlier) allows authenticated users holding only the Contributor role to bypass intended authorization restrictions and perform actions reserved for higher-privileged roles. The root cause is missing authorization checks (CWE-862) on one or more plugin endpoints, enabling unauthorized integrity-affecting operations on content managed by the plugin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register WordPress Contributor account
Delivery
Authenticate to target WordPress site
Exploit
Identify Nelio Content plugin endpoint lacking capability check
Execution
Send crafted authorized request to restricted endpoint
Persist
Bypass missing authorization gate
Impact
Perform unauthorized content or editorial modification

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress user account with at minimum the Contributor role on the target site - fully unauthenticated exploitation is not possible per the CVSS vector (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N correctly characterizes this as a low-complexity network attack requiring authenticated low-privilege access with limited integrity impact and no confidentiality or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a Contributor-level account on a WordPress site running Nelio Content <= 4.3.4, then crafts authenticated HTTP requests to the plugin's insufficiently protected endpoints, invoking actions - such as modifying editorial schedules, content metadata, or social publishing settings - normally restricted to Editors or Administrators. Because attack complexity is low and no user interaction is required, exploitation is straightforward once the specific vulnerable endpoint is identified, though no public exploit code is currently known to exist.
Remediation Update Nelio Content to a version beyond 4.3.4 as soon as the vendor releases a patched build - no specific fixed version number is confirmed in the available source data, so administrators should monitor the Patchstack advisory and the WordPress plugin repository for an update. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57648 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy