{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25391", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:07.231Z", "datePublished": "2026-02-19T08:27:02.677Z", "dateUpdated": "2026-04-28T16:14:57.622Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ai-content-generation", "product": "WP Wand", "vendor": "WP Grids", "versions": [{"lessThanOrEqual": "1.3.07", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:07.038Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in WP Grids WP Wand ai-content-generation allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Wand: from n/a through <= 1.3.07.</p>"}], "value": "Missing Authorization vulnerability in WP Grids WP Wand ai-content-generation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Wand: from n/a through <= 1.3.07."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:57.622Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ai-content-generation/vulnerability/wordpress-wp-wand-plugin-1-3-07-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Wand plugin <= 1.3.07 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T19:24:38.523817Z", "id": "CVE-2026-25391", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:12:33.423Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25391", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:07.231Z", "datePublished": "2026-02-19T08:27:02.677Z", "dateUpdated": "2026-04-28T13:12:33.423Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ai-content-generation", "product": "WP Wand", "vendor": "WP Grids", "versions": [{"lessThanOrEqual": "1.3.07", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:46.421Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in WP Grids WP Wand ai-content-generation allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Wand: from n/a through <= 1.3.07.</p>"}], "value": "Missing Authorization vulnerability in WP Grids WP Wand ai-content-generation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Wand: from n/a through <= 1.3.07."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:49.747Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ai-content-generation/vulnerability/wordpress-wp-wand-plugin-1-3-07-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Wand plugin <= 1.3.07 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25391", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T19:24:38.523817Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T19:23:44.438Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP Grids WP Wand ai-content-generation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Wand: from n/a through <= 1.3.07."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en WP Grids WP Wand ai-content-generation permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP Wand: desde n/a hasta &lt;= 1.3.07."}], "id": "CVE-2026-25391", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:21.237", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ai-content-generation/vulnerability/wordpress-wp-wand-plugin-1-3-07-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.07]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Wand", "source": "cna", "vendor": "WP Grids"}, "product": "wp_wand", "vendor": "wp_grids"}], "analysis": {"en": {"generated_at": "2026-04-16T00:20:19.746683+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Wand plugin to a version newer than 1.3.07 once a fix is released.", "If an upgrade is not immediately possible, restrict the plugin\u2019s functionality by removing any administrative or content\u2011creation capabilities from untrusted user roles, or disable the plugin on production sites.", "Apply a web application firewall rule that blocks or rate\u2011limits access to the plugin\u2019s admin endpoints until a patch is available."], "summary": {"action": "Assess Impact", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The affected product is the WP Wand plugin from WP Grids. Versions from any release up to and including 1.3.07 are impacted. WordPress sites that have installed or enabled this plugin and have not applied a later version are at risk.", "description_and_impact": "The vulnerability is a missing authorization flaw in the WP Wand AI content generation plugin for WordPress. Because the plugin fails to enforce proper access control, attackers can reach or modify protected content or other sensitive data. This flaw aligns with CWE\u2011862 and can let an unauthenticated user read or alter information that should be restricted, potentially compromising confidentiality and integrity for the site.", "risk_and_exploitability": "The CVSS score of 5.4 places the issue at a moderate risk level. The EPSS score is below 1\u202f%, indicating a low probability of exploitation in the wild, and the vulnerability is not listed in CISA\u2019s KEV catalog. The most likely attack vector is a remote web request: an attacker can craft HTTP inputs that bypass the missing authorization checks and access or modify content directly."}}}}, "created": "2026-02-20T10:08:34.543343+00:00", "updated": "2026-04-16T00:30:18.856832+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wp_grids", "wp_grids$PRODUCT$wp_wand"]}