Skip to main content

Universal Clocks EUVDEUVD-2026-43400

| CVE-2026-57782 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Patchstack
5.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable WordPress endpoint requires no authentication; impact is limited to low-severity integrity modification with no confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:19 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in PressTigers Universal Clocks universal-clocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Universal Clocks: from n/a through <= 1.2.0.

AnalysisAI

Universal Clocks WordPress plugin (≤1.2.0) by PressTigers exposes unauthorized action endpoints due to missing authorization checks, enabling unauthenticated remote attackers to perform integrity-impacting operations without valid credentials. Reported by Patchstack under CWE-862, the flaw stems from incorrectly configured access control security levels that fail to validate caller permissions before executing plugin functionality. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate WordPress plugins on target
Delivery
Identify Universal Clocks ≤1.2.0 installed
Exploit
Craft HTTP request to unprotected plugin endpoint
Execution
Bypass missing authorization check
Persist
Execute unauthorized plugin action
Impact
Achieve unauthorized integrity modification

Vulnerability AssessmentAI

Exploitation The CVSS vector PR:N/AC:L/UI:N indicates no authentication is required, no special attack complexity exists, and no user interaction is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 5.3 (Medium) reflects a remotely exploitable, low-complexity flaw requiring no authentication or user interaction, but with a limited impact ceiling - only Integrity:Low, with no Confidentiality or Availability impact (C:N/I:L/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress site running Universal Clocks ≤1.2.0 via passive fingerprinting (e.g., plugin enumeration through publicly visible asset paths), then submits a crafted HTTP POST request directly to the plugin's unprotected action endpoint, bypassing the missing authorization gate to execute a privileged plugin operation - such as modifying clock display settings or stored configuration - without presenting any credentials. No public POC has been identified at time of analysis, but the low attack complexity (AC:L) means exploitation would be straightforward once the specific endpoint is known.
Remediation The primary remediation is to update the Universal Clocks plugin beyond version 1.2.0; however, no specific patched release version has been confirmed in the available intelligence - administrators should check the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/universal-clocks/vulnerability/wordpress-universal-clocks-plugin-1-2-0-broken-access-control-vulnerability for the latest release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43400 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy