{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25330", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:29.367Z", "datePublished": "2026-02-19T08:26:56.890Z", "dateUpdated": "2026-04-28T16:14:55.292Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "publishpress-authors", "product": "PublishPress Authors", "vendor": "PublishPress", "versions": [{"changes": [{"at": "4.11.0", "status": "unaffected"}], "lessThanOrEqual": "4.10.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "johska | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:04.626Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects PublishPress Authors: from n/a through <= 4.10.1.</p>"}], "value": "Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Authors: from n/a through <= 4.10.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:55.292Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/publishpress-authors/vulnerability/wordpress-publishpress-authors-plugin-4-10-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress PublishPress Authors plugin <= 4.10.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T16:03:13.855661Z", "id": "CVE-2026-25330", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:01:02.619Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25330", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T16:03:13.855661Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T16:02:35.956Z"}}], "cna": {"title": "WordPress PublishPress Authors plugin <= 4.10.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "johska | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "PublishPress", "product": "PublishPress Authors", "versions": [{"status": "affected", "changes": [{"at": "4.11.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "4.10.1"}], "packageName": "publishpress-authors", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:04.626Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/publishpress-authors/vulnerability/wordpress-publishpress-authors-plugin-4-10-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Authors: from n/a through <= 4.10.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects PublishPress Authors: from n/a through <= 4.10.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:14:47.852Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25330", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:14:47.852Z", "dateReserved": "2026-02-02T12:52:29.367Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:56.890Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Authors: from n/a through <= 4.10.1."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en PublishPress PublishPress Authors publishpress-authors permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a PublishPress Authors: desde n/a hasta &lt;= 4.10.1."}], "id": "CVE-2026-25330", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:17.597", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/publishpress-authors/vulnerability/wordpress-publishpress-authors-plugin-4-10-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.10.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[4.11.0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PublishPress Authors", "source": "cna", "vendor": "PublishPress"}, "product": "publishpress_authors", "vendor": "publishpress"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:28:38.460146+00:00", "value": {"mitigation_remediation": ["Update the PublishPress Authors plugin to a version newer than 4.10.1.", "Review and tighten WordPress role permissions to ensure only trusted users can use the plugin\u2019s administrative features.", "Sanitize and validate any plugin configuration values to prevent unauthorized configuration changes."], "summary": {"action": "Apply Update", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected system is the PublishPress Authors WordPress plugin for all versions up to and including 4.10.1. This vulnerability is present in every build of the plugin from the earliest release through 4.10.1. Users running this plugin on a WordPress site are potentially impacted unless they have already upgraded to a newer, fixed release.", "description_and_impact": "The vulnerability is a missing authorization flaw in the PublishPress Authors WordPress plugin. If access controls are misconfigured, an attacker can exploit the plugin to perform actions normally restricted to privileged users. This flaw is described as \"Incorrectly Configured Access Control Security Levels.\" The weakness maps to CWE-862, indicating a problem with improper authorization checks. No remote code execution or denial of service is described, so the primary risk is the ability to elevate privileges and alter content or settings within the WordPress site.", "risk_and_exploitability": "The severity score is 4.3, which falls in the low range on the CVSS scale, and the Exploit Prediction Scoring System score is lower than one percent, indicating a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. According to the description, exploitation requires that the attacker can leverage the WordPress site\u2019s role\u2011based access to find a user with elevated privileges configured to use the plugin. The exact attack vector is not explicitly stated, but it is inferred to involve authenticated interactions with the plugin\u2019s administrative interface. If the site administrators have assigned authors or editors roles that can use this plugin, an attacker who can obtain or impersonate such a role could exploit this flaw to tamper with content, users, or other sensitive plugin settings."}}}}, "created": "2026-02-20T10:08:56.504621+00:00", "updated": "2026-04-16T00:30:18.867754+00:00", "vendors": ["publishpress", "publishpress$PRODUCT$publishpress_authors", "wordpress", "wordpress$PRODUCT$wordpress"]}