Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPVulnerability: from n/a through <= 4.2.1.
AnalysisAI
WPVulnerability plugin through version 4.2.1 contains an authorization bypass that allows authenticated users to modify data they should not have access to due to improperly enforced access controls. An attacker with valid login credentials can escalate privileges to perform unauthorized modifications within the plugin's protected functions. No patch is currently available for this vulnerability.
Technical ContextAI
The WPVulnerability plugin (CPE: cpe:2.3:a:javier_casares:wpvulnerability:*:*:*:*:*:*:*:*) is a WordPress plugin developed by Javier Casares that appears designed for security testing or vulnerability demonstration purposes. The root cause is classified under CWE-862 (Missing Authorization), which represents a fundamental failure to enforce proper access control checks before allowing users to perform privileged operations or access sensitive resources. This typically manifests in WordPress plugins when capability checks (using functions like current_user_can()) are either absent, improperly implemented, or bypassed through incorrect conditional logic, allowing low-privileged users or unauthenticated visitors to execute administrator-level actions or access restricted content.
RemediationAI
Immediately upgrade the WPVulnerability plugin to the latest available version beyond 4.2.1 (exact patch version to be confirmed with Javier Casares or Patchstack). Review the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpvulnerability/vulnerability/wordpress-wpvulnerability-plugin-4-2-1-broken-access-control-vulnerability for specific patch details and changelog. As a temporary measure prior to upgrading, disable the WPVulnerability plugin entirely if it is not actively required for legitimate security testing purposes, restrict access to its administrative pages via Web Application Firewall (WAF) rules or .htaccess, and audit WordPress user roles and capabilities to ensure only intended users have elevated permissions. Review WordPress access logs for evidence of unauthorized access or privilege escalation attempts.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15571
GHSA-8h47-9x4c-74fv