Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Arjan Pronk linkPizza-Manager linkpizza-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects linkPizza-Manager: from n/a through <= 5.5.5.
AnalysisAI
Unauthenticated remote attackers can access sensitive information in linkPizza-Manager WordPress plugin through incorrectly configured access controls that fail to enforce proper authorization checks. The vulnerability affects linkPizza-Manager versions up to 5.5.5 and allows an unauthenticated attacker to obtain partial confidentiality impact with no modification or availability impact. No public exploit code has been identified at time of analysis.
Technical ContextAI
The vulnerability stems from a Missing Authorization flaw (CWE-862) in the linkPizza-Manager WordPress plugin, which fails to properly enforce access control security levels. The plugin does not adequately validate whether a user has the required permissions before allowing access to sensitive functionality or data. This is a common class of vulnerability in web applications where authorization checks are either absent or improperly implemented, allowing attackers to bypass intended access restrictions. The issue is classified as 'Incorrectly Configured Access Control Security Levels', indicating that the authorization controls exist but are misconfigured rather than completely absent. The affected product is identified via CPE as the linkPizza-Manager application spanning versions from initial release through version 5.5.5.
RemediationAI
Organizations should upgrade linkPizza-Manager to a version newer than 5.5.5 as soon as a patched release becomes available from the plugin developer. Users should verify the latest version on the official plugin repository and apply updates promptly. Until a patched version is released, administrators should restrict access to the plugin's functionality through WordPress role and capability management, limiting access to trusted administrators only. For detailed advisory information and current patch status, refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/linkpizza-manager/vulnerability/wordpress-linkpizza-manager-plugin-5-5-5-broken-access-control-vulnerability and the NVD record at https://nvd.nist.gov/vuln/detail/CVE-2026-39682.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20367
GHSA-3w63-gvhp-2wgh