Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in massiveshift AI Workflow Automation ai-workflow-automation-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Workflow Automation: from n/a through <= 1.4.2.
AnalysisAI
Missing authorization in massiveshift AI Workflow Automation plugin (versions up to 1.4.2) allows unauthenticated remote attackers to modify data through incorrectly configured access control security levels, affecting the WordPress plugin ai-workflow-automation-lite. The vulnerability has a low EPSS score (0.02%, 4th percentile) despite CVSS 5.3, suggesting limited real-world exploitation likelihood despite network accessibility.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control failure where the application fails to verify that users have proper permissions before allowing sensitive operations. In this case, the AI Workflow Automation plugin does not adequately enforce authorization checks on its API or functional endpoints, allowing requests from unauthenticated users to pass authorization validation. The affected product is the WordPress plugin 'ai-workflow-automation-lite' published by massiveshift, which integrates workflow automation capabilities into WordPress environments. The lack of proper authorization enforcement means that security levels and role-based access controls are either not checked or are misconfigured, permitting unauthorized modifications.
RemediationAI
Update the AI Workflow Automation plugin to a version newer than 1.4.2 if a patched version is available from massiveshift. Users should check the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/ai-workflow-automation-lite/vulnerability/wordpress-ai-workflow-automation-plugin-1-4-2-broken-access-control-vulnerability) and the NIST NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-39699) for patch availability and timeline. In the interim, administrators should audit and tighten access control configurations within the plugin, restrict plugin functionality to authenticated users only, and monitor for unauthorized modification attempts in WordPress logs. Disabling the plugin entirely is advisable if patches remain unavailable and the functionality is not business-critical.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20398
GHSA-8m6c-ch3f-3mpm