{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27055", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:30.505Z", "datePublished": "2026-02-19T08:27:09.973Z", "dateUpdated": "2026-04-28T16:15:00.531Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "penci-ai", "product": "Penci AI SmartContent Creator", "vendor": "PenciDesign", "versions": [{"lessThanOrEqual": "2.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:11.896Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in PenciDesign Penci AI SmartContent Creator penci-ai allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Penci AI SmartContent Creator: from n/a through <= 2.0.</p>"}], "value": "Missing Authorization vulnerability in PenciDesign Penci AI SmartContent Creator penci-ai allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Penci AI SmartContent Creator: from n/a through <= 2.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:00.531Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/penci-ai/vulnerability/wordpress-penci-ai-smartcontent-creator-plugin-2-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Penci AI SmartContent Creator plugin <= 2.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T17:39:37.808308Z", "id": "CVE-2026-27055", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:51:10.164Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27055", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T17:39:37.808308Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T17:33:50.497Z"}}], "cna": {"title": "WordPress Penci AI SmartContent Creator plugin <= 2.0 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "PenciDesign", "product": "Penci AI SmartContent Creator", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0"}], "packageName": "penci-ai", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:59.438Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/penci-ai/vulnerability/wordpress-penci-ai-smartcontent-creator-plugin-2-0-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in PenciDesign Penci AI SmartContent Creator penci-ai allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Penci AI SmartContent Creator: from n/a through <= 2.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in PenciDesign Penci AI SmartContent Creator penci-ai allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Penci AI SmartContent Creator: from n/a through <= 2.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:50.593Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27055", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:51:10.164Z", "dateReserved": "2026-02-17T13:23:30.505Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:09.973Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in PenciDesign Penci AI SmartContent Creator penci-ai allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Penci AI SmartContent Creator: from n/a through <= 2.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en PenciDesign Penci AI SmartContent Creator penci-ai permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Penci AI SmartContent Creator: desde n/a hasta &lt;= 2.0."}], "id": "CVE-2026-27055", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:26.673", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/penci-ai/vulnerability/wordpress-penci-ai-smartcontent-creator-plugin-2-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Penci AI SmartContent Creator", "source": "cna", "vendor": "PenciDesign"}, "product": "penci_ai_smartcontent_creator", "vendor": "pencidesign"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T06:27:29.613456+00:00", "value": {"mitigation_remediation": ["Upgrade Penci AI SmartContent Creator to a version newer than 2.0 as soon as the vendor releases a patch.", "If an upgrade cannot be performed immediately, restrict the plugin\u2019s functionality to administrators by adjusting WordPress role permissions or using a capability\u2011control plugin.", "Consider disabling or uninstalling the plugin until a patched version is available, especially if the site hosts sensitive content.", "As an additional temporary safeguard, block the plugin\u2019s public endpoints via a web\u2011application firewall or access\u2011control rules if possible."], "summary": {"action": "Upgrade", "impact": "Unauthorized content modification or creation due to missing authorization checks"}, "threat_synthesis": {"affected_systems": "All WordPress installations that use the Penci AI SmartContent Creator plugin version 2.0 or earlier are affected. This includes any site that has installed the plugin from the first public release up to the 2.0 release; versions later than 2.0 are not known to be vulnerable.", "description_and_impact": "The Penci AI SmartContent Creator plugin contains a missing authorization check, which results in a broken access control vulnerability. An attacker who can reach the plugin\u2019s endpoints may create new posts, modify or delete existing content, or execute other privileged actions without proper permission. This flaw aligns with CWE-862, indicating that the application fails to verify a user\u2019s entitlement before allowing access to sensitive operations. The CVSS base score of 4.3 reflects moderate impact, with potential loss of data integrity or availability if the vulnerability is abused. Based on the description, it is inferred that the attacker may need to be a logged\u2011in WordPress user, although the plugin\u2019s endpoints may be reachable without authentication if not properly protected.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, and the EPSS probability of less than 1% suggests that the overall likelihood of exploitation is low on a national scale. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to target sites that use a recent version of WordPress with the plugin active, especially if the plugin\u2019s endpoints are exposed to unauthenticated users. If authentication is required, an attacker would need to compromise or guess a legitimate WordPress user account with sufficient role privileges."}}}}, "created": "2026-02-20T10:08:05.969565+00:00", "updated": "2026-04-16T06:30:06.031860+00:00", "vendors": ["pencidesign", "pencidesign$PRODUCT$penci_ai_smartcontent_creator", "wordpress", "wordpress$PRODUCT$wordpress"]}