Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Rapid Car Check Rapid Car Check Vehicle Data free-vehicle-data-uk allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rapid Car Check Vehicle Data: from n/a through <= 2.0.
AnalysisAI
Rapid Car Check Vehicle Data WordPress plugin versions through 2.0 fails to properly enforce access controls on vehicle data endpoints, allowing unauthenticated remote attackers to modify or access vehicle records through misconfigured authorization checks. The CVSS score of 5.3 reflects limited direct impact (integrity only, no confidentiality or availability breach), but the zero-authentication requirement (PR:N/UI:N) combined with EPSS score of 0.02% and lack of evidence of active exploitation suggest this is a low-priority vulnerability despite network accessibility.
Technical ContextAI
The vulnerability stems from improper implementation of access control mechanisms in the Rapid Car Check Vehicle Data plugin (cpe:2.3:a:rapid_car_check:rapid_car_check_vehicle_data:*:*:*:*:*:*:*:*), classified under CWE-862 (Missing Authorization). The plugin exposes vehicle data endpoints via REST API or direct HTTP handlers without validating whether the requesting user has permission to access or modify specific vehicle records. This is a classic broken access control flaw where authorization checks are either absent, bypassable, or only validate authentication status without verifying resource ownership or role-based permissions. WordPress plugins commonly make this mistake when processing requests with functions like $_GET, $_POST, or REST route handlers without proper current_user_can() or equivalent capability checks.
RemediationAI
Update Rapid Car Check Vehicle Data to a version later than 2.0 once the vendor releases a patched version. At the time of this analysis, no specific vendor-released patch version was independently confirmed from the available references. As an interim mitigation, restrict access to the plugin's vehicle data endpoints via WordPress user role capabilities (ensure only users with appropriate roles can access vehicle records), disable or deactivate the plugin if not actively in use, and audit existing vehicle records for unauthorized modifications using database logs or WordPress activity logging plugins. Consult the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/free-vehicle-data-uk/vulnerability/wordpress-rapid-car-check-vehicle-data-plugin-2-0-broken-access-control-vulnerability for updated patch availability.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20377
GHSA-pj5v-3p2r-p7q9