{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39563", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:32.434Z", "datePublished": "2026-04-08T08:30:18.659Z", "dateUpdated": "2026-04-29T09:52:02.266Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "share-this-image", "product": "Share This Image", "vendor": "ILLID", "versions": [{"changes": [{"at": "2.13", "status": "unaffected"}], "lessThanOrEqual": "2.12", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:53.396Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Share This Image: from n/a through <= 2.12.</p>"}], "value": "Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share This Image: from n/a through <= 2.12."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:02.266Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/share-this-image/vulnerability/wordpress-share-this-image-plugin-2-12-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Share This Image plugin <= 2.12 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T16:51:15.468446Z", "id": "CVE-2026-39563", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T16:51:23.407Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39563", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T16:51:15.468446Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T16:51:02.870Z"}}], "cna": {"title": "WordPress Share This Image plugin <= 2.12 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "ILLID", "product": "Share This Image", "versions": [{"status": "affected", "changes": [{"at": "2.13", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.12"}], "packageName": "share-this-image", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:53.396Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/share-this-image/vulnerability/wordpress-share-this-image-plugin-2-12-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share This Image: from n/a through <= 2.12.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Share This Image: from n/a through <= 2.12.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:18.659Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39563", "state": "PUBLISHED", "dateUpdated": "2026-04-10T16:51:23.407Z", "dateReserved": "2026-04-07T10:48:32.434Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:18.659Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share This Image: from n/a through <= 2.12."}], "id": "CVE-2026-39563", "lastModified": "2026-04-29T10:17:28.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:27.493", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/share-this-image/vulnerability/wordpress-share-this-image-plugin-2-12-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.12]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "2.13"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Share This Image", "source": "cna", "vendor": "ILLID"}, "product": "share_this_image", "vendor": "illid"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-10T18:52:27.022241+00:00", "value": {"mitigation_remediation": ["Upgrade the Share This Image plugin to a version newer than 2.12, ideally the latest release after the vulnerability was disclosed.", "If an upgrade is not immediately possible, disable or remove the plugin to eliminate the attack surface.", "Restrict access to the plugin\u2019s admin or action endpoints using network filtering or role\u2011based controls to limit exposure to trusted users."], "summary": {"action": "Apply Patch", "impact": "Access Control Bypass"}, "threat_synthesis": {"affected_systems": "All WordPress sites that have the Share This Image plugin installed with a version number less than or equal to 2.12 are affected. The plugin is distributed by ILLID; no additional vendor or product details are provided in the input.", "description_and_impact": "The Share This Image plugin for WordPress suffers from a missing authorization flaw that allows an attacker to invoke privileged functions intended only for administrators or editors. This vulnerability can be abused to modify or delete content, view private data, or otherwise perform actions normally restricted to higher\u2011privilege users. The weakness is classified as CWE\u2011862, indicating an improper or missing access\u2011control check that undermines the intended security boundaries. Consequently, the plugin can expose confidential information, alter the integrity of site content, and potentially disrupt normal operation through unauthorized changes.", "risk_and_exploitability": "The CVSS score of 5.3 categorizes this issue as moderate severity, while the EPSS score of less than 1% indicates a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be via unauthenticated or low\u2011privilege web requests targeting the plugin\u2019s exposed admin endpoints; if an attacker discovers or guesses these URLs, they can execute privileged actions without needing elevated credentials."}}}}, "created": "2026-04-08T19:30:13.008288+00:00", "updated": "2026-04-13T14:25:23.802144+00:00", "vendors": ["illid", "illid$PRODUCT$share_this_image", "wordpress", "wordpress$PRODUCT$wordpress"]}