Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable WordPress endpoint requires no authentication; impact is limited to low-severity integrity modification with no confidentiality or availability consequence.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in PressTigers Universal Clocks universal-clocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Universal Clocks: from n/a through <= 1.2.0.
AnalysisAI
Universal Clocks WordPress plugin (≤1.2.0) by PressTigers exposes unauthorized action endpoints due to missing authorization checks, enabling unauthenticated remote attackers to perform integrity-impacting operations without valid credentials. Reported by Patchstack under CWE-862, the flaw stems from incorrectly configured access control security levels that fail to validate caller permissions before executing plugin functionality. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The CVSS vector PR:N/AC:L/UI:N indicates no authentication is required, no special attack complexity exists, and no user interaction is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 5.3 (Medium) reflects a remotely exploitable, low-complexity flaw requiring no authentication or user interaction, but with a limited impact ceiling - only Integrity:Low, with no Confidentiality or Availability impact (C:N/I:L/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress site running Universal Clocks ≤1.2.0 via passive fingerprinting (e.g., plugin enumeration through publicly visible asset paths), then submits a crafted HTTP POST request directly to the plugin's unprotected action endpoint, bypassing the missing authorization gate to execute a privileged plugin operation - such as modifying clock display settings or stored configuration - without presenting any credentials. No public POC has been identified at time of analysis, but the low attack complexity (AC:L) means exploitation would be straightforward once the specific endpoint is known. |
| Remediation | The primary remediation is to update the Universal Clocks plugin beyond version 1.2.0; however, no specific patched release version has been confirmed in the available intelligence - administrators should check the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/universal-clocks/vulnerability/wordpress-universal-clocks-plugin-1-2-0-broken-access-control-vulnerability for the latest release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43400