{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39610", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:55.140Z", "datePublished": "2026-04-08T08:30:23.579Z", "dateUpdated": "2026-04-08T08:30:23.579Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpxmas-snow", "product": "WpXmas-Snow", "vendor": "Pankaj Kumar", "versions": [{"lessThanOrEqual": "1.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:33.625Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WpXmas-Snow: from n/a through <= 1.1.</p>"}], "value": "Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpXmas-Snow: from n/a through <= 1.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:23.579Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpxmas-snow/vulnerability/wordpress-wpxmas-snow-plugin-1-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WpXmas-Snow plugin <= 1.1 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpXmas-Snow: from n/a through <= 1.1."}], "id": "CVE-2026-39610", "lastModified": "2026-04-08T09:16:30.440", "metrics": {}, "published": "2026-04-08T09:16:30.440", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpxmas-snow/vulnerability/wordpress-wpxmas-snow-plugin-1-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WpXmas-Snow", "source": "cna", "vendor": "Pankaj Kumar"}, "product": "wpxmas-snow", "vendor": "pankaj_kumar"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:15:01.771938+00:00", "value": {"mitigation_remediation": ["Upgrade the WpXmas\u2011Snow plugin to the latest version that addresses the authorization flaw. ", "If an update is not yet available, deactivate or uninstall the plugin to eliminate the exposed functionality. ", "Limit plugin access by assigning WordPress roles appropriately so that only trusted users can interact with its features. ", "Regularly review and monitor site logs for suspicious activity that may indicate attempts to exploit the access controls."], "summary": {"action": "Apply Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "The plugin developed by Pankaj Kumar, version 1.1 and all earlier releases, is affected. Any WordPress site that deploys these versions of the WpXmas\u2011Snow plugin is at risk.", "description_and_impact": "A missing authorization flaw in the WpXmas\u2011Snow WordPress plugin allows attackers to bypass access control checks. The vulnerability can enable unauthorized users to execute actions normally reserved for administrators, such as viewing, modifying, or deleting site content. It is identified as CWE\u2011862, indicating a failure to enforce proper authorization.", "risk_and_exploitability": "With no exploit probability data available, the inherent lack of authorization presents a significant risk of exploitation. An attacker could manipulate HTTP requests to reach plugin endpoints and perform privileged actions without proper authentication. The vulnerability threatens the confidentiality, integrity, or availability of the site if accessed by malicious actors. The problem is not listed in the Known Exploited Vulnerabilities catalogue."}}}}, "created": "2026-04-08T19:29:50.091627+00:00", "updated": "2026-04-08T19:42:07.378288+00:00", "vendors": ["pankaj_kumar", "pankaj_kumar$PRODUCT$wpxmas-snow", "wordpress", "wordpress$PRODUCT$wordpress"]}