Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in wpradiant Chocolate House chocolate-house allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chocolate House: from n/a through <= 1.1.5.
AnalysisAI
Improper access control in Chocolate House through version 1.1.5 allows unauthenticated remote attackers to modify data by bypassing authorization checks. The vulnerability affects all versions up to 1.1.5, and no patch is currently available. An attacker could exploit misconfigured security levels to gain unauthorized write access without authentication.
Technical ContextAI
This vulnerability is classified as CWE-862 (Missing Authorization), a critical access control flaw where the application fails to enforce privilege boundaries for sensitive operations. The wpradiant Chocolate House plugin, identified through CPE patterns as a WordPress plugin component, implements inadequate authorization checks on API endpoints or administrative functions that should require authentication. Unlike CWE-863 (Incorrect Authorization), which involves flawed authorization logic, this vulnerability represents a complete absence of authorization enforcement, allowing the application to process requests that should be restricted to authenticated and privileged users. The network-based attack vector (CVSS:3.1/AV:N) indicates the flaw is exploitable remotely without local access, and the low attack complexity (AC:L) means no special conditions or tool sophistication is required.
RemediationAI
Upgrade the wpradiant Chocolate House plugin to version 1.1.6 or later once available; check the WordPress plugin repository or wpradiant's official website for the patched release. If immediate patching is not possible, implement network-level access controls to restrict requests to the vulnerable plugin's endpoints to trusted IP ranges, and consider temporarily disabling the Chocolate House plugin until a patch is confirmed. Additionally, audit WordPress user roles and capabilities to ensure least-privilege assignments, and monitor access logs for unauthorized modification attempts. Enable WordPress security logging to detect exploitation attempts targeting the missing authorization flaw.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11836