Skip to main content

12 Step Meeting List EUVDEUVD-2026-20215

| CVE-2026-39569 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-mrpg-59p9-vgrh
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20215
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 6.5

DescriptionCVE.org

Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.

AnalysisAI

Broken access control in AA Web Servant 12 Step Meeting List plugin version 3.19.9 and earlier allows authenticated users to view sensitive information by exploiting misconfigured access control security levels. An attacker with low-level privileges can enumerate or access data they should not be permitted to view, exposing confidential meeting or user information. The vulnerability has an EPSS score of 0.02% (4th percentile), indicating low real-world exploitation probability despite the moderate CVSS score of 6.5.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a common flaw in access control logic where application security checks fail to properly validate user permissions before granting access to protected resources. In the 12 Step Meeting List plugin (CPE: cpe:2.3:a:aa_web_servant:12_step_meeting_list:*:*:*:*:*:*:*:*), access control security levels are incorrectly configured, permitting users with limited authentication status (PR:L per CVSS vector) to retrieve or view confidential data. This typically occurs when authorization checks are missing from API endpoints, data retrieval functions, or administrative interfaces, allowing privilege escalation through horizontal access control bypass rather than vertical elevation.

RemediationAI

Upgrade the 12 Step Meeting List plugin to a patched version greater than 3.19.9 immediately upon availability. Consult the Patchstack database (https://patchstack.com/database/Wordpress/Plugin/12-step-meeting-list/vulnerability/wordpress-12-step-meeting-list-plugin-3-19-9-broken-access-control-vulnerability?_s_id=cve) and NVD advisory (https://nvd.nist.gov/vuln/detail/CVE-2026-39569) for the specific patched release version. Until a patch is released, restrict user account creation and lower-privilege role assignments to minimize the attack surface, audit access control logs for unauthorized data access, and consider temporarily disabling the plugin if meeting information is not mission-critical. Implement WordPress security plugins that monitor unauthorized access attempts to sensitive endpoints.

Share

EUVD-2026-20215 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy