{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27042", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:18.876Z", "datePublished": "2026-02-19T08:27:09.364Z", "dateUpdated": "2026-04-28T16:14:59.685Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "notificationx", "product": "NotificationX", "vendor": "WPDeveloper", "versions": [{"changes": [{"at": "3.2.2", "status": "unaffected"}], "lessThanOrEqual": "3.2.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:10.932Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in WPDeveloper NotificationX notificationx allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects NotificationX: from n/a through <= 3.2.1.</p>"}], "value": "Missing Authorization vulnerability in WPDeveloper NotificationX notificationx allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NotificationX: from n/a through <= 3.2.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:59.685Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/notificationx/vulnerability/wordpress-notificationx-plugin-3-2-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress NotificationX plugin <= 3.2.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T18:18:28.190524Z", "id": "CVE-2026-27042", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:49:30.243Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27042", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T18:18:28.190524Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T18:17:51.143Z"}}], "cna": {"title": "WordPress NotificationX plugin <= 3.2.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WPDeveloper", "product": "NotificationX", "versions": [{"status": "affected", "changes": [{"at": "3.2.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.2.1"}], "packageName": "notificationx", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:52.798Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/notificationx/vulnerability/wordpress-notificationx-plugin-3-2-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WPDeveloper NotificationX notificationx allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NotificationX: from n/a through <= 3.2.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in WPDeveloper NotificationX notificationx allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects NotificationX: from n/a through <= 3.2.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:50.635Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27042", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:49:30.243Z", "dateReserved": "2026-02-17T13:23:18.876Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:09.364Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WPDeveloper NotificationX notificationx allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NotificationX: from n/a through <= 3.2.1."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en WPDeveloper NotificationX notificationx permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a NotificationX: desde n/a hasta &lt;= 3.2.1."}], "id": "CVE-2026-27042", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:26.243", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/notificationx/vulnerability/wordpress-notificationx-plugin-3-2-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.2.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[3.2.2,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "NotificationX", "source": "cna", "vendor": "WPDeveloper"}, "product": "notificationx", "vendor": "wpdeveloper"}], "analysis": {"en": {"generated_at": "2026-04-16T00:09:40.021433+00:00", "value": {"mitigation_remediation": ["Update NotificationX to the latest release available from WPDeveloper; the current vulnerable range is <=3.2.1.", "If the plugin is not required for site functionality, remove or deactivate it entirely to eliminate the risk.", "Ensure WordPress role\u2011based access controls are configured so that only administrators can modify plugin settings or execute plugin actions.", "If an immediate update or removal is not possible, block direct web access to NotificationX administrative URLs using server\u2011side rules (.htaccess, nginx config, or a firewall) to prevent unauthorized configuration changes."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access to Plugin Functionality"}, "threat_synthesis": {"affected_systems": "WPDeveloper's NotificationX plugin, versions from any starting version up to and including 3.2.1, is affected. The issue spans the entire plugin codebase for those releases.", "description_and_impact": "The NotificationX plugin for WordPress suffers from a missing authorization check that allows attackers to exploit incorrectly configured access control security levels. This broken access control vulnerability can enable unauthorized users to gain access to plugin functions or sensitive configuration data, potentially leading to data tampering or unauthorized changes to notifications.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% shows a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers could potentially reach the affected code via HTTP requests to the plugin\u2019s administrative interfaces on a WordPress site, though the exact attack path was not detailed in the CVE description, so the inferred vector is remote through web interfaces."}}}}, "created": "2026-02-20T10:08:08.540585+00:00", "updated": "2026-04-16T00:15:18.639569+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdeveloper", "wpdeveloper$PRODUCT$notificationx"]}