Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Paul Bearne Author Avatars List/Block author-avatars allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Author Avatars List/Block: from n/a through <= 2.1.25.
AnalysisAI
Missing authorization in Paul Bearne Author Avatars List/Block plugin (versions up to 2.1.25) allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, resulting in partial disclosure of confidential data. The vulnerability has low exploitation probability (EPSS 0.02%) and no public exploit identified, but the automatable nature and broken access control classification warrant attention for WordPress installations using this plugin.
Technical ContextAI
This vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the plugin fails to properly enforce authorization checks before exposing resources. The affected product is a WordPress plugin (cpe:2.3:a:paul_bearne:author_avatars_list/block), which integrates into WordPress's user and content management ecosystem. The broken access control allows unauthenticated actors to bypass security levels, suggesting the plugin exposes API endpoints, REST routes, or admin functions without verifying user permissions. This is common in WordPress plugins where capability checks are omitted or incorrectly implemented.
RemediationAI
Update the Author Avatars List/Block plugin to a version later than 2.1.25 immediately upon availability. Consult the plugin's official repository at WordPress.org or the vendor advisory at Patchstack (https://patchstack.com/database/Wordpress/Plugin/author-avatars/vulnerability/wordpress-author-avatars-list-block-plugin-2-1-25-broken-access-control-vulnerability?_s_id=cve) for confirmation of patched version release. As a temporary mitigation prior to patching, restrict access to the plugin's endpoints using Web Application Firewall (WAF) rules or HTTP authentication if feasible, though this does not address the root access control issue. Verify the patched version is installed and test to confirm the authorization checks are now properly enforced.
More in Author Avatars List Block
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20383
GHSA-rj85-rwqp-58g9