Skip to main content

Wpxmas Snow EUVDEUVD-2026-20246

| CVE-2026-39610 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-qr82-4rg7-7243
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:41 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20246
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpXmas-Snow: from n/a through <= 1.1.

AnalysisAI

Missing authorization in WpXmas-Snow WordPress plugin up to version 1.1 allows unauthenticated remote attackers to modify plugin content through incorrectly configured access control, resulting in unauthorized data integrity violations without requiring authentication or user interaction.

Technical ContextAI

WpXmas-Snow is a WordPress plugin that implements seasonal snow effects on websites. The vulnerability stems from CWE-862 (Missing Authorization), a class where the plugin fails to enforce proper permission checks before allowing modifications to protected resources. The affected CPE (cpe:2.3:a:pankaj_kumar:wpxmas-snow:*:*:*:*:*:*:*:*) indicates all versions through 1.1 lack adequate access control validation. WordPress plugins typically enforce authorization through capability checks (like 'manage_options' for administrative functions); this plugin appears to omit such checks on modification endpoints accessible over the network.

RemediationAI

Update WpXmas-Snow to version 1.2 or later once released by the vendor, or disable the plugin immediately if an update is unavailable. Since the Patchstack advisory indicates awareness of the vulnerability, check the official WordPress plugin repository or the plugin author's GitHub repository for patched releases. WordPress site administrators should navigate to Plugins > Installed Plugins, locate WpXmas-Snow, and apply the update as soon as it becomes available. If a patched version is not yet released, deactivate and remove the plugin until a fix is available, as the vulnerability allows unauthorized modification of plugin-controlled content.

Share

EUVD-2026-20246 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy