CVE-2026-39658 - Vulnerability Details - OpenCVE

Missing Authorization vulnerability in Coding Panda Panda Pods Repeater Field panda-pods-repeater-field allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Panda Pods Repeater Field: from n/a through <= 1.5.12.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

Vendors	Products
Coding Panda	Panda Pods Repeater Field
Wordpress	Wordpress

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Coding Panda	Panda Pods Repeater Field
Wordpress	Wordpress

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/panda-pods-repeater-field/vulnerability/wordpress-panda-pods-repeater-field-plugin-1-5-12-broken-access-control-vulnerability?_s_id=cve

History

Wed, 08 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Coding Panda Coding Panda panda Pods Repeater Field Wordpress Wordpress wordpress
Vendors & Products		Coding Panda Coding Panda panda Pods Repeater Field Wordpress Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in Coding Panda Panda Pods Repeater Field panda-pods-repeater-field allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Panda Pods Repeater Field: from n/a through <= 1.5.12.
Title		WordPress Panda Pods Repeater Field plugin <= 1.5.12 - Broken Access Control vulnerability
Weaknesses		CWE-862
References		https://patchstack.com/database/Wordpress/Plugin/panda-pods-repeater-field/vulnerability/wordpress-panda-pods-repeater-field-plugin-1-5-12-broken-access-control-vulnerability?_s_id=cve

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-04-08T08:30:36.675Z

Updated: 2026-04-08T08:30:36.675Z

Reserved: 2026-04-07T10:57:53.260Z

Link: CVE-2026-39658

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-08T09:16:36.970

Modified: 2026-04-08T09:16:36.970

Link: CVE-2026-39658

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T19:41:18Z

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.12]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Panda Pods Repeater Field", "source": "cna", "vendor": "Coding Panda"}, "product": "panda_pods_repeater_field", "vendor": "coding_panda"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:04:12.427808+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest version of the Panda Pods Repeater Field plugin (>=\u202f1.5.13) to eliminate the missing authorization logic.", "Ensure that role\u2011based permissions for the plugin are correctly configured and that only trusted administrators can create or modify pod data.", "If an update is not possible, deactivate or remove the plugin from the site to prevent unauthorized access.", "Monitor WordPress logs for unexpected activity associated with pod data modifications.", "Apply network\u2011level restrictions or web application firewall rules to block suspicious requests to the plugin\u2019s endpoints."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The issue affects the Coding Panda Panda Pods Repeater Field WordPress plugin in all releases from the known starting point through version\u202f1.5.12. Any site that has the plugin installed and operating on a version no newer than 1.5.12 is vulnerable. The plugin is commonly used in WordPress installations under the vendor Coding Panda.", "description_and_impact": "The vulnerability is a missing authorization check that allows an attacker to bypass normal access controls within the Panda Pods Repeater Field plugin. Because the plugin does not enforce permissions on its API endpoints, an authenticated or unauthenticated user may create, modify, or delete pod data and other sensitive content. This can lead to data corruption, disclosure, or unauthorized changes to site content, satisfying CWE\u2011862, Missing Authorization. The impact is the potential for unauthorized manipulation of WordPress content and associated data.", "risk_and_exploitability": "The CVSS score is not provided, and EPSS information is unavailable, so the precise severity cannot be quantified. However, because the flaw permits bypassing access controls, it presents a high risk of privilege escalation and data tampering. The lack of an official KEV listing suggests no known exploited instances yet, but the absence of safeguards makes exploitation straightforward once the vulnerability is discovered. The likely attack path would involve sending crafted HTTP requests to the plugin\u2019s exposed endpoints with credentials or through cross\u2011site request forgery techniques."}}}}, "created": "2026-04-08T19:28:15.059796+00:00", "updated": "2026-04-08T19:41:18.048819+00:00", "vendors": ["coding_panda", "coding_panda$PRODUCT$panda_pods_repeater_field", "wordpress", "wordpress$PRODUCT$wordpress"]}