Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Coding Panda Panda Pods Repeater Field panda-pods-repeater-field allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Panda Pods Repeater Field: from n/a through <= 1.5.12.
AnalysisAI
Missing authorization in Coding Panda Panda Pods Repeater Field WordPress plugin versions up to 1.5.12 allows unauthenticated remote attackers to modify data via incorrectly configured access control, affecting confidentiality and integrity of plugin-managed content without requiring user interaction or elevated privileges.
Technical ContextAI
Panda Pods Repeater Field is a WordPress plugin that extends the Pods content management framework to provide repeater field functionality for managing structured, repeated data entries. The vulnerability stems from CWE-862 (Missing Authorization), a root cause where the plugin fails to implement proper authorization checks before allowing data modification operations. The affected component likely processes repeater field updates through WordPress REST API endpoints or admin AJAX handlers without validating whether the requesting user has permission to modify the associated pod or field data. The CPE designation (cpe:2.3:a:coding_panda:panda_pods_repeater_field) identifies this as an application-level vulnerability in the plugin itself, not in WordPress core or the underlying Pods framework.
RemediationAI
Update Panda Pods Repeater Field to a version newer than 1.5.12 when available from the plugin author or WordPress.org plugin repository. Administrators should navigate to WordPress Plugins → Installed Plugins, locate Panda Pods Repeater Field, and apply the update. If no patched version is available immediately, restrict plugin access by disabling the plugin until an update is released, or implement WordPress user role restrictions to limit who can create or edit Pods repeater fields. Monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/panda-pods-repeater-field/) and NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-39658) for patch availability announcements.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20327
GHSA-jxjc-fjfc-2w5w