Skip to main content

All-In-One Intranet EUVDEUVD-2026-39680

| CVE-2026-54837 HIGH
Missing Authorization (CWE-862)
2026-06-26 audit@patchstack.com GHSA-p896-xrwf-h8qr
7.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated remote request bypasses the plugin's access control with no interaction (PR:N/UI:N/AV:N/AC:L); impact is read-only disclosure of private content, so C:H and I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:36 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Intranet &amp; Private Site &#8211; All-In-One Intranet <= 1.8.1 versions.

AnalysisAI

Broken access control in the All-In-One Intranet WordPress plugin (versions ≤ 1.8.1) allows unauthenticated remote attackers to bypass the plugin's core 'force login / private site' restriction and read content that is supposed to be visible only to authenticated intranet members. The flaw is a missing authorization check (CWE-862) that undermines the single security feature the plugin exists to provide. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site using All-In-One Intranet
Delivery
Send unauthenticated request to gated content
Exploit
Missing authorization check fails to redirect
Execution
Receive private intranet content
Impact
Harvest disclosed internal information

Vulnerability AssessmentAI

Exploitation The target site must be running the All-In-One Intranet plugin (≤ 1.8.1) and relying on it to enforce a private/force-login intranet policy - the bug only matters where this plugin is the gatekeeper for otherwise-sensitive content. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderately concerning but not emergency-grade. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who knows or guesses the URL of a WordPress site hardened with All-In-One Intranet sends a direct, unauthenticated HTTP request to content that should require login, and the missing authorization check returns the private page or data instead of redirecting to a login prompt. Because no authentication, user interaction, or special tooling is required (AV:N/AC:L/PR:N/UI:N), the attacker simply enumerates or requests intranet URLs to harvest internal information. …
Remediation Update the All-In-One Intranet plugin to a release later than 1.8.1 as soon as the vendor publishes a fixed version - no exact patched version number is confirmed in the available data, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/all-in-one-intranet/vulnerability/wordpress-intranet-private-site-all-in-one-intranet-plugin-1-8-1-broken-access-control-vulnerability?_s_id=cve) and the plugin's WordPress.org page for the current version before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all WordPress installations using All-In-One Intranet plugin and verify current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39680 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy