Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpXmas-Snow: from n/a through <= 1.1.
AnalysisAI
Missing authorization in WpXmas-Snow WordPress plugin up to version 1.1 allows unauthenticated remote attackers to modify plugin content through incorrectly configured access control, resulting in unauthorized data integrity violations without requiring authentication or user interaction.
Technical ContextAI
WpXmas-Snow is a WordPress plugin that implements seasonal snow effects on websites. The vulnerability stems from CWE-862 (Missing Authorization), a class where the plugin fails to enforce proper permission checks before allowing modifications to protected resources. The affected CPE (cpe:2.3:a:pankaj_kumar:wpxmas-snow:*:*:*:*:*:*:*:*) indicates all versions through 1.1 lack adequate access control validation. WordPress plugins typically enforce authorization through capability checks (like 'manage_options' for administrative functions); this plugin appears to omit such checks on modification endpoints accessible over the network.
RemediationAI
Update WpXmas-Snow to version 1.2 or later once released by the vendor, or disable the plugin immediately if an update is unavailable. Since the Patchstack advisory indicates awareness of the vulnerability, check the official WordPress plugin repository or the plugin author's GitHub repository for patched releases. WordPress site administrators should navigate to Plugins > Installed Plugins, locate WpXmas-Snow, and apply the update as soon as it becomes available. If a patched version is not yet released, deactivate and remove the plugin until a fix is available, as the vulnerability allows unauthorized modification of plugin-controlled content.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20246
GHSA-qr82-4rg7-7243