Skip to main content

Instawp Connect EUVDEUVD-2026-20168

| CVE-2026-39504 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-2mpg-m27w-5p6f
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:40 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.4 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20168
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a through <= 0.1.2.5.

AnalysisAI

InstaWP Connect WordPress plugin through version 0.1.2.5 permits authenticated users to access or modify resources they should not have permission to reach due to missing authorization checks. With CVSS 5.4 (authenticated network access, low complexity), EPSS 0.02%, and no confirmed public exploit code, this represents a moderate privilege escalation risk primarily affecting multi-user WordPress installations where access control segregation is important.

Technical ContextAI

InstaWP Connect is a WordPress plugin (CPE: cpe:2.3:a:instawp:instawp_connect:*:*:*:*:*:*:*:*) that facilitates WordPress site management and deployment. The vulnerability stems from CWE-862 (Missing Authorization), a class of access control flaws where the application fails to enforce proper permission boundaries between users or roles. In WordPress plugin context, this typically manifests when admin or privileged functions lack capability checks (e.g., missing current_user_can() or similar authorization verifications), allowing authenticated users with lower privileges (such as Editor or Contributor roles) to execute operations restricted to Administrators. The plugin's access control security levels are inadequately validated against the executing user's role or capabilities.

RemediationAI

Update InstaWP Connect to a version newer than 0.1.2.5 if a patched release is available from the vendor. If a patched version is not yet released, temporarily deactivate the plugin or restrict its use to trusted administrator accounts only. Review WordPress user roles and capabilities using the Roles and Capabilities plugin or WordPress built-in role settings to ensure that Editor, Contributor, and other non-Administrator roles cannot access sensitive InstaWP Connect functions. Implement additional authorization checks in any custom integrations with InstaWP Connect. Monitor the Patchstack advisory and NIST NVD page (https://nvd.nist.gov/vuln/detail/CVE-2026-39504) for patch release announcements.

Share

EUVD-2026-20168 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy