{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39607", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:55.140Z", "datePublished": "2026-04-08T08:30:22.832Z", "dateUpdated": "2026-04-08T08:30:22.832Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "filter-plus", "product": "Filter Plus", "vendor": "Wpbens", "versions": [{"lessThanOrEqual": "1.1.17", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:33.617Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Wpbens Filter Plus filter-plus allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Filter Plus: from n/a through <= 1.1.17.</p>"}], "value": "Missing Authorization vulnerability in Wpbens Filter Plus filter-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Filter Plus: from n/a through <= 1.1.17."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:22.832Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/filter-plus/vulnerability/wordpress-filter-plus-plugin-1-1-17-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Filter Plus plugin <= 1.1.17 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Wpbens Filter Plus filter-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Filter Plus: from n/a through <= 1.1.17."}], "id": "CVE-2026-39607", "lastModified": "2026-04-08T09:16:30.033", "metrics": {}, "published": "2026-04-08T09:16:30.033", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/filter-plus/vulnerability/wordpress-filter-plus-plugin-1-1-17-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.17]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Filter Plus", "source": "cna", "vendor": "Wpbens"}, "product": "filter_plus", "vendor": "wpbens"}], "analysis": {"en": {"generated_at": "2026-04-08T10:15:17.590440+00:00", "value": {"mitigation_remediation": ["Upgrade the Filter Plus plugin to version 1.1.18 or newer.", "If an upgrade cannot be performed immediately, disable the plugin until a patch is applied.", "Restrict the plugin\u2019s files using web server access controls or file permissions to prevent unauthorized execution.", "Verify that WordPress user accounts have the appropriate roles and that no users possess superfluous privileges that could enable re\u2011activation of the plugin."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Wpbens Filter Plus plugin version 1.1.17 or earlier. Any site using that plugin without updating beyond the specified release is vulnerable, regardless of other active plugins or themes.", "description_and_impact": "This vulnerability is a missing authorization flaw in the WordPress \u201cFilter Plus\u201d plugin that allows users without proper privileges to perform actions such as modifying filter settings or accessing administrative functions. Because the plugin\u2019s access checks are incorrectly configured, an attacker can elevate privileges within the site, potentially taking full control of the site\u2019s configuration. The weakness originates from a failure to validate user roles before executing sensitive operations, classifying it as a missing authorization issue.", "risk_and_exploitability": "The CVSS score and exploit probability are not provided, but the missing authorization flaw warrants high severity. The likely attack vector is inferred to be remote exploitation through crafted HTTP requests to the plugin\u2019s endpoints, requiring an authenticated user who lacks the necessary permissions. Because the plugin does not enforce proper access checks, any such user can trigger the vulnerable behavior. No current exploitation has been reported and the issue is not listed in the CISA KEV catalog, yet the risk remains significant due to the ease of triggering the flaw once credentials are obtained."}}}}, "created": "2026-04-08T19:29:53.348432+00:00", "updated": "2026-04-08T19:42:10.805589+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpbens", "wpbens$PRODUCT$filter_plus"]}