Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Anton Voytenko Petitioner petitioner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Petitioner: from n/a through <= 0.7.3.
AnalysisAI
Petitioner version 0.7.3 and earlier contains a missing authorization check that allows authenticated users to modify data or settings they should not have access to due to incorrectly configured access control levels. An attacker with valid credentials can exploit this to perform unauthorized actions without requiring user interaction. A patch is not currently available for this vulnerability.
Technical ContextAI
The vulnerability is classified as CWE-862 (Missing Authorization), a fundamental access control weakness where the application fails to properly enforce authorization checks before granting access to protected functions or data. This affects the Anton Voytenko Petitioner plugin (cpe:2.3:a:anton_voytenko:petitioner:*:*:*:*:*:*:*:*), which appears to be a WordPress plugin based on the Patchstack database reference. The root cause involves incorrectly configured access control security levels that permit privilege escalation or unauthorized resource access without proper role-based or capability-based verification. The absence of adequate authorization validation at critical entry points or endpoints allows attackers to circumvent intended security restrictions.
RemediationAI
Upgrade the Petitioner plugin to a version newer than 0.7.3 as soon as a patched release becomes available; monitor the Patchstack database and Anton Voytenko's official repository for security updates. Until a patch is released, disable the Petitioner plugin or restrict access to it via WordPress user role management, limiting activation to trusted administrators only. Additionally, implement WordPress security hardening by enforcing strong authentication mechanisms (two-factor authentication), restricting plugin installation capabilities, and monitoring for unauthorized capability escalation through access logs. Organizations should also review any custom capability configurations within the Petitioner plugin to ensure proper role-based access control is enforced at all critical functions.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15872