Skip to main content

Wpams

1 CVEs product

Monthly

CVE-2026-39433 MEDIUM PATCH This Month

Arbitrary content deletion in the WPAMS WordPress plugin (versions prior to 49.5.3) by Mojoomla allows any authenticated subscriber-level user to delete content they are not authorized to remove. Rooted in a missing authorization check (CWE-862), this flaw bypasses WordPress capability controls entirely for deletion operations. No active exploitation has been identified in CISA KEV, and no public proof-of-concept has been disclosed at time of analysis, but the low privilege bar - a standard subscriber account - makes exploitation trivially accessible to any registered site user.

Authentication Bypass Wpams
NVD
CVSS 3.1
6.5
EPSS
0.4%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Arbitrary content deletion in the WPAMS WordPress plugin (versions prior to 49.5.3) by Mojoomla allows any authenticated subscriber-level user to delete content they are not authorized to remove. Rooted in a missing authorization check (CWE-862), this flaw bypasses WordPress capability controls entirely for deletion operations. No active exploitation has been identified in CISA KEV, and no public proof-of-concept has been disclosed at time of analysis, but the low privilege bar - a standard subscriber account - makes exploitation trivially accessible to any registered site user.

Authentication Bypass Wpams
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy