Skip to main content

Rapid Car Check Vehicle Data EUVDEUVD-2026-20377

| CVE-2026-39687 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-pj5v-3p2r-p7q9
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:43 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20377
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Rapid Car Check Rapid Car Check Vehicle Data free-vehicle-data-uk allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rapid Car Check Vehicle Data: from n/a through <= 2.0.

AnalysisAI

Rapid Car Check Vehicle Data WordPress plugin versions through 2.0 fails to properly enforce access controls on vehicle data endpoints, allowing unauthenticated remote attackers to modify or access vehicle records through misconfigured authorization checks. The CVSS score of 5.3 reflects limited direct impact (integrity only, no confidentiality or availability breach), but the zero-authentication requirement (PR:N/UI:N) combined with EPSS score of 0.02% and lack of evidence of active exploitation suggest this is a low-priority vulnerability despite network accessibility.

Technical ContextAI

The vulnerability stems from improper implementation of access control mechanisms in the Rapid Car Check Vehicle Data plugin (cpe:2.3:a:rapid_car_check:rapid_car_check_vehicle_data:*:*:*:*:*:*:*:*), classified under CWE-862 (Missing Authorization). The plugin exposes vehicle data endpoints via REST API or direct HTTP handlers without validating whether the requesting user has permission to access or modify specific vehicle records. This is a classic broken access control flaw where authorization checks are either absent, bypassable, or only validate authentication status without verifying resource ownership or role-based permissions. WordPress plugins commonly make this mistake when processing requests with functions like $_GET, $_POST, or REST route handlers without proper current_user_can() or equivalent capability checks.

RemediationAI

Update Rapid Car Check Vehicle Data to a version later than 2.0 once the vendor releases a patched version. At the time of this analysis, no specific vendor-released patch version was independently confirmed from the available references. As an interim mitigation, restrict access to the plugin's vehicle data endpoints via WordPress user role capabilities (ensure only users with appropriate roles can access vehicle records), disable or deactivate the plugin if not actively in use, and audit existing vehicle records for unauthorized modifications using database logs or WordPress activity logging plugins. Consult the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/free-vehicle-data-uk/vulnerability/wordpress-rapid-car-check-vehicle-data-plugin-2-0-broken-access-control-vulnerability for updated patch availability.

Share

EUVD-2026-20377 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy