{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25409", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:19.001Z", "datePublished": "2026-02-19T08:27:05.400Z", "dateUpdated": "2026-04-28T16:14:58.299Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-jamstack-deployments", "product": "JAMstack Deployments", "vendor": "crgeary", "versions": [{"lessThanOrEqual": "1.1.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:08.955Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in crgeary JAMstack Deployments wp-jamstack-deployments allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects JAMstack Deployments: from n/a through <= 1.1.1.</p>"}], "value": "Missing Authorization vulnerability in crgeary JAMstack Deployments wp-jamstack-deployments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JAMstack Deployments: from n/a through <= 1.1.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:58.299Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-jamstack-deployments/vulnerability/wordpress-jamstack-deployments-plugin-1-1-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress JAMstack Deployments plugin <= 1.1.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T18:46:11.219624Z", "id": "CVE-2026-25409", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:23:20.764Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25409", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T18:46:11.219624Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T18:45:17.209Z"}}], "cna": {"title": "WordPress JAMstack Deployments plugin <= 1.1.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "crgeary", "product": "JAMstack Deployments", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.1.1"}], "packageName": "wp-jamstack-deployments", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:08.955Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-jamstack-deployments/vulnerability/wordpress-jamstack-deployments-plugin-1-1-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in crgeary JAMstack Deployments wp-jamstack-deployments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JAMstack Deployments: from n/a through <= 1.1.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in crgeary JAMstack Deployments wp-jamstack-deployments allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects JAMstack Deployments: from n/a through <= 1.1.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:14:55.911Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25409", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:14:55.911Z", "dateReserved": "2026-02-02T12:53:19.001Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:05.400Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in crgeary JAMstack Deployments wp-jamstack-deployments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JAMstack Deployments: from n/a through <= 1.1.1."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en crgeary JAMstack Deployments wp-jamstack-deployments permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a JAMstack Deployments: desde n/a hasta &lt;= 1.1.1."}], "id": "CVE-2026-25409", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:22.610", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-jamstack-deployments/vulnerability/wordpress-jamstack-deployments-plugin-1-1-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "JAMstack Deployments", "source": "cna", "vendor": "crgeary"}, "product": "jamstack_deployments", "vendor": "crgeary"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:17:08.894032+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to a version newer than 1.1.1 that addresses the access control flaw", "If immediate upgrade is not feasible, modify file and directory permissions so that only administrators can modify plugin settings", "Restrict access to the WordPress admin area using IP whitelisting and monitor logs for unexpected access attempts"], "summary": {"action": "Assess Impact", "impact": "Unauthorized access to protected plugin functionality due to missing authorization"}, "threat_synthesis": {"affected_systems": "Products affected are the WordPress JAMstack Deployments plugin from the vendor crgeary, version 1.1.1 and earlier. Any WordPress installation running this plugin is susceptible, regardless of other site configurations.", "description_and_impact": "The vulnerability in the WordPress JAMstack Deployments plugin arises from an absence of proper authorization checks, allowing users to access or modify plugin features that should be restricted. This flaw can enable a non-administrative user to manipulate deployment settings, potentially exposing sensitive data or altering site behavior. The weakness is classified as CWE-862, reflecting improper authorization control.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% shows a very low probability of exploitation in the wild. This vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits. The attack vector is likely through the plugin\u2019s administrative interface, where an authenticated but unauthorized user could exploit the missing access controls. Successful exploitation would compromise confidentiality, integrity, or availability of deployment configurations within the affected WordPress site."}}}}, "created": "2026-02-20T10:08:25.650391+00:00", "updated": "2026-04-16T00:30:18.852681+00:00", "vendors": ["crgeary", "crgeary$PRODUCT$jamstack_deployments", "wordpress", "wordpress$PRODUCT$wordpress"]}