Skip to main content

Gutenverse Companion EUVDEUVD-2026-39676

| CVE-2026-54832 HIGH
Missing Authorization (CWE-862)
2026-06-26 audit@patchstack.com GHSA-5fm5-5j35-734h
7.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Missing authorization on a network-reachable WordPress endpoint needs no auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is data modification only, so I:H with C:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:35 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Gutenverse Companion <= 2.5.0 versions.

AnalysisAI

Unauthorized data modification in the Gutenverse Companion WordPress plugin (versions 2.5.0 and earlier) lets remote unauthenticated attackers invoke protected functionality due to a missing authorization check. The CVSS 3.1 vector (AV:N/PR:N/UI:N, I:H, C:N, A:N) indicates a network-reachable, no-login integrity compromise rather than data theft or outage. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Scan for Gutenverse Companion plugin
Delivery
Send crafted unauthenticated request
Exploit
Missing authorization check passes
Execution
Invoke privileged operation
Impact
Modify WordPress site data

Vulnerability AssessmentAI

Exploitation Exploitation requires only that a vulnerable installation of Gutenverse Companion (version 2.5.0 or earlier) be installed, active, and network-reachable on a WordPress site; per the CVSS vector AV:N/AC:L/PR:N/UI:N there is no special configuration, authentication, or user interaction needed to reach the unguarded endpoint, so this is effectively unauthenticated exploitation against default deployments running the plugin. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are partially aligned and partially incomplete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans WordPress sites for the Gutenverse Companion plugin and sends a crafted unauthenticated HTTP request to the plugin's exposed action, invoking a privileged operation that should require a logged-in authorized user. Because the authorization check is missing, the request succeeds and modifies site state without any credentials or user interaction. …
Remediation No vendor-released patch version is identified in the available data, so confirm the fixed release directly from the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/gutenverse-companion/vulnerability/wordpress-gutenverse-companion-plugin-2-5-0-broken-access-control-vulnerability?_s_id=cve) and upgrade to the first version published above 2.5.0 once available; do not assume a specific number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all WordPress installations running Gutenverse Companion versions 2.5.0 or earlier; disable and remove the plugin; audit content modification logs for unauthorized changes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39676 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy