{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27071", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:51.341Z", "datePublished": "2026-03-25T16:14:54.113Z", "dateUpdated": "2026-03-25T16:14:54.113Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-cafe", "product": "WPCafe", "vendor": "Arraytics", "versions": [{"lessThanOrEqual": "<= 3.0.7", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:31.860Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WPCafe: from n/a through <= 3.0.7.</p>"}], "value": "Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCafe: from n/a through <= 3.0.7."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:54.113Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-cafe/vulnerability/wordpress-wpcafe-plugin-3-0-6-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WPCafe plugin <= 3.0.7 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCafe: from n/a through <= 3.0.7."}], "id": "CVE-2026-27071", "lastModified": "2026-03-25T17:16:54.660", "metrics": {}, "published": "2026-03-25T17:16:54.660", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-cafe/vulnerability/wordpress-wpcafe-plugin-3-0-6-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:44:37.154411+00:00", "value": {"mitigation_remediation": ["Update WPCafe to version 3.0.8 or later", "If an update is not feasible, deactivate the plugin until a patch is available", "Configure WordPress to limit access to administrative functions to trusted users only", "Review and tighten any custom access control settings that interact with the plugin"], "summary": {"action": "Apply patch", "impact": "Unauthorized access and privilege escalation"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress WPCafe plugin provided by Arraytics. Any installation of WPCafe with a version identifier of 3.0.7 or earlier is vulnerable. This includes all releases from the earliest documented version through and including 3.0.7.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows attackers to bypass checks and exploit incorrectly configured access control levels. Because the WPCafe plugin does not enforce proper permissions, a malicious user can perform actions normally reserved for privileged accounts, such as modifying settings, adding or removing content, or accessing sensitive data. This issue is classified under CWE-862, indicating a lack of adequate authorization controls.", "risk_and_exploitability": "The vulnerability is remotely exploitable through the web interface of a WordPress site hosting the plugin. An attacker does not need elevated privileges to achieve the exploit, only the ability to send requests to the plugin\u2019s endpoints. While no CVSS score or EPSS score is publicly listed, the nature of the flaw\u2014broken access control\u2014generally carries high risk for confidentiality, integrity, and availability. The absence of a KEV listing does not diminish the likelihood that attackers could target this flaw, especially on sites with exposed administrative interfaces."}}}}, "created": "2026-03-25T21:44:04.144625+00:00", "updated": "2026-03-25T21:44:04.144691+00:00", "vendors": []}