Skip to main content

Wp Delicious EUVDEUVD-2026-20188

| CVE-2026-39528 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-6r8x-gfgq-mg6w
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20188
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recipes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Delicious: from n/a through <= 1.9.5.

AnalysisAI

Missing authorization in WP Delicious WordPress plugin versions up to 1.9.5 enables unauthenticated remote attackers to bypass access controls and read sensitive information due to incorrectly configured access restrictions. The vulnerability allows unauthorized information disclosure with low CVSS impact (5.3) but affects a widely deployed WordPress plugin; exploitation likelihood is minimal (EPSS 0.02%, percentile 4%) and no public exploit code has been identified.

Technical ContextAI

WP Delicious is a WordPress recipe plugin that implements access control for recipe content and administrative functions. The vulnerability stems from CWE-862 (Missing Authorization), indicating that the plugin fails to properly verify user permissions before granting access to protected resources. The absence of proper access control checks in API endpoints or administrative functions allows the plugin to trust client-supplied requests without server-side authorization validation. This is a common pattern in WordPress plugins where capability checks (using functions like current_user_can()) are omitted or misconfigured, allowing any remote client-authenticated or not-to access restricted endpoints. The plugin's affected CPE range (all versions through 1.9.5) suggests a systemic authorization issue rather than a isolated function flaw.

RemediationAI

Upgrade WP Delicious to a version newer than 1.9.5; consult the vendor's plugin update mechanism in the WordPress admin dashboard or the official plugin repository for the latest available version. The plugin should automatically offer an in-dashboard update once a patched release is published. Until an update is available, site administrators should verify that the plugin's access control settings are correctly configured and consider temporarily disabling the plugin if sensitive recipe data is restricted to authenticated users. Detailed advisory information is available at https://patchstack.com/database/Wordpress/Plugin/delicious-recipes/vulnerability/wordpress-wp-delicious-plugin-1-9-5-broken-access-control-vulnerability and the NVD CVE entry at https://nvd.nist.gov/vuln/detail/CVE-2026-39528.

Share

EUVD-2026-20188 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy