Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in nmerii NM Gift Registry and Wishlist Lite nm-gift-registry-and-wishlist-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NM Gift Registry and Wishlist Lite: from n/a through <= 5.13.
AnalysisAI
NM Gift Registry and Wishlist Lite WordPress plugin versions up to 5.13 allows unauthenticated remote attackers to modify data through missing authorization checks on access control settings. The vulnerability stems from incorrectly configured authorization levels that fail to validate user permissions before processing requests, enabling attackers to bypass authentication mechanisms and alter registry or wishlist information without proper credentials. EPSS score of 0.02% indicates minimal real-world exploitation probability despite the low attack complexity.
Technical ContextAI
The vulnerability resides in a WordPress plugin architecture where access control decisions are implemented at the application level. CWE-862 (Missing Authorization) indicates the plugin fails to verify that an authenticated session or valid credentials exist before permitting sensitive operations. The affected plugin uses the standard WordPress permission model (capabilities system), but implementation flaws allow the authorization checks to be bypassed entirely. The AV:N/AC:L profile indicates the flaw is reachable over the network without requiring complex manipulation of the target system. The plugin processes requests that modify registry or wishlist data without proper nonce validation or capability checks, allowing any network-accessible client to submit requests that alter protected resources.
RemediationAI
Update NM Gift Registry and Wishlist Lite to a version newer than 5.13 when the vendor releases a patched version. Users should verify the plugin's official page on WordPress.org or the vendor's advisory for the specific patched version number. As an interim mitigation, restrict direct HTTP access to the plugin's request handlers using web application firewall (WAF) rules or WordPress security plugins that enforce capability checks before processing modify operations. Implement WordPress user role auditing to ensure only trusted administrators have access to gift registry configuration. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/nm-gift-registry-and-wishlist-lite/vulnerability/wordpress-nm-gift-registry-and-wishlist-lite-plugin-5-13-broken-access-control-vulnerability) for timeline confirmation and alternative mitigation strategies.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20229
GHSA-3xmw-f5q8-mw2q