Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Network-accessible WordPress endpoint, low-privilege account required, no confidentiality or integrity impact, only limited availability disruption.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Codexpert Inc ThumbPress allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects ThumbPress: from n/a through 6.3.2.
AnalysisAI
Missing authorization in the ThumbPress WordPress plugin (Codexpert Inc) through version 6.3.2 allows low-privileged authenticated users to invoke restricted plugin functionality, resulting in limited availability impact against thumbnail or image-size management operations. The CVSS vector (PR:L, A:L) confirms exploitation requires an authenticated session but no elevated role, and produces no confidentiality or integrity loss - only partial disruption. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at minimum a low-privilege role (e.g., subscriber), as confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.3 (Medium) reflects a constrained impact profile: Availability is rated Low, with no Confidentiality or Integrity impact, and exploitation requires a low-privilege authenticated account (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds a low-privilege WordPress account - such as a subscriber or contributor - on a site running ThumbPress through 6.3.2 sends a crafted HTTP POST request to wp-admin/admin-ajax.php targeting the vulnerable action without possessing the required capability. Because the authorization check is missing, WordPress processes the request and performs the restricted thumbnail operation, causing partial availability disruption to the site's image management. … |
| Remediation | The primary remediation is to update ThumbPress to a version beyond 6.3.2; however, no specific patched release version is confirmed in the available input data - the fix version should be verified against the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/image-sizes/vulnerability/wordpress-thumbpress-plugin-6-3-2-broken-access-control-vulnerability and the WordPress plugin repository changelog before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41091
GHSA-gr9v-q5xg-p963