Skip to main content

Wp Ultimate Review EUVDEUVD-2026-20303

| CVE-2026-39644 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-grgr-vjmq-55cc
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20303
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wp Ultimate Review: from n/a through <= 2.3.8.

AnalysisAI

Missing authorization in Roxnor Wp Ultimate Review plugin versions up to 2.3.8 allows unauthenticated remote attackers to access restricted functionality through incorrectly configured access control security levels, resulting in limited information disclosure. The vulnerability carries a low EPSS exploitation probability (0.02%, 4th percentile) and has not been confirmed as actively exploited, though the simple attack vector (network-accessible, no complexity, no authentication required) means opportunistic exploitation is feasible.

Technical ContextAI

This is a classic broken access control vulnerability (CWE-862) in a WordPress plugin. The plugin fails to properly validate user permissions before exposing sensitive operations or data endpoints. Roxnor Wp Ultimate Review is a WordPress plugin (CPE: cpe:2.3:a:roxnor:wp_ultimate_review:*:*:*:*:*:*:*:*) that appears to implement review functionality; the missing authorization controls allow bypass of intended security restrictions on access levels, enabling unauthenticated users to read protected content or perform unintended actions. WordPress plugins execute in the context of the WordPress application, and improper authorization checks-especially when absent entirely-are a common vulnerability class in the WordPress ecosystem.

RemediationAI

Update Roxnor Wp Ultimate Review to a version later than 2.3.8; the exact patched version number is not specified in available data, so administrators should check the plugin's official repository or the Patchstack advisory for the recommended upgrade target. Immediately apply the patch through the WordPress plugin management interface or by manual update. Until patching is complete, review and restrict access to the plugin's endpoints through WordPress user role management and, if possible, Web Application Firewall (WAF) rules to block unauthenticated access to sensitive plugin functions. Verify that access control checks are properly enforced post-patch.

Share

EUVD-2026-20303 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy