Skip to main content

Author Avatars List Block EUVDEUVD-2026-20383

| CVE-2026-39690 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-rj85-rwqp-58g9
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20383
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in Paul Bearne Author Avatars List/Block author-avatars allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Author Avatars List/Block: from n/a through <= 2.1.25.

AnalysisAI

Missing authorization in Paul Bearne Author Avatars List/Block plugin (versions up to 2.1.25) allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, resulting in partial disclosure of confidential data. The vulnerability has low exploitation probability (EPSS 0.02%) and no public exploit identified, but the automatable nature and broken access control classification warrant attention for WordPress installations using this plugin.

Technical ContextAI

This vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the plugin fails to properly enforce authorization checks before exposing resources. The affected product is a WordPress plugin (cpe:2.3:a:paul_bearne:author_avatars_list/block), which integrates into WordPress's user and content management ecosystem. The broken access control allows unauthenticated actors to bypass security levels, suggesting the plugin exposes API endpoints, REST routes, or admin functions without verifying user permissions. This is common in WordPress plugins where capability checks are omitted or incorrectly implemented.

RemediationAI

Update the Author Avatars List/Block plugin to a version later than 2.1.25 immediately upon availability. Consult the plugin's official repository at WordPress.org or the vendor advisory at Patchstack (https://patchstack.com/database/Wordpress/Plugin/author-avatars/vulnerability/wordpress-author-avatars-list-block-plugin-2-1-25-broken-access-control-vulnerability?_s_id=cve) for confirmation of patched version release. As a temporary mitigation prior to patching, restrict access to the plugin's endpoints using Web Application Firewall (WAF) rules or HTTP authentication if feasible, though this does not address the root access control issue. Verify the patched version is installed and test to confirm the authorization checks are now properly enforced.

Share

EUVD-2026-20383 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy