{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39569", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:32.434Z", "datePublished": "2026-04-08T08:30:19.885Z", "dateUpdated": "2026-04-29T09:52:02.105Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "12-step-meeting-list", "product": "12 Step Meeting List", "vendor": "AA Web Servant", "versions": [{"changes": [{"at": "3.19.10", "status": "unaffected"}], "lessThanOrEqual": "3.19.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:53.460Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.</p>"}], "value": "Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:02.105Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/12-step-meeting-list/vulnerability/wordpress-12-step-meeting-list-plugin-3-19-9-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress 12 Step Meeting List plugin <= 3.19.9 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T16:44:48.481517Z", "id": "CVE-2026-39569", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T16:49:03.916Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39569", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T16:44:48.481517Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T16:44:40.462Z"}}], "cna": {"title": "WordPress 12 Step Meeting List plugin <= 3.19.9 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AA Web Servant", "product": "12 Step Meeting List", "versions": [{"status": "affected", "changes": [{"at": "3.19.10", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.19.9"}], "packageName": "12-step-meeting-list", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:53.460Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/12-step-meeting-list/vulnerability/wordpress-12-step-meeting-list-plugin-3-19-9-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:02.105Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39569", "state": "PUBLISHED", "dateUpdated": "2026-04-29T09:52:02.105Z", "dateReserved": "2026-04-07T10:48:32.434Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:19.885Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9."}], "id": "CVE-2026-39569", "lastModified": "2026-04-24T18:07:25.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:28.083", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/12-step-meeting-list/vulnerability/wordpress-12-step-meeting-list-plugin-3-19-9-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.19.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "12 Step Meeting List", "source": "cna", "vendor": "AA Web Servant"}, "product": "12_step_meeting_list", "vendor": "aa_web_servant"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-10T18:27:15.537118+00:00", "value": {"mitigation_remediation": ["Upgrade the 12 Step Meeting List plugin to a version newer than 3.19.9", "If an update is not immediately available, disable the plugin or restrict access to its pages", "Apply any vendor-specified configuration changes to enforce proper access controls", "Verify that no unauthorized endpoints are accessible by performing a review of the plugin\u2019s functionalities"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access to Sensitive Meeting Data"}, "threat_synthesis": {"affected_systems": "The vulnerability affects AA Web Servant\u2019s 12 Step Meeting List plugin versions up to and including 3.19.9. WordPress sites that have installed any of these versions are at risk and should consider upgrading. No further version details or variants are listed, so any site using an affected version is potentially impacted.", "description_and_impact": "The 12 Step Meeting List plugin for WordPress contains a missing authorization flaw that permits users to access or manipulate meeting data that should be restricted. The primary impact is that an attacker with minimal access can view or modify meeting information, potentially exposing confidential schedules or altering content. The weakness maps to CWE-862, a broken access control issue.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. EPSS indicates a very low likelihood of exploitation (<1%), and the issue is not in the KEV catalog, suggesting limited current exploitation. The likely attack vector is that a visitor or an authenticated user could send crafted HTTP requests to the plugin\u2019s endpoints to bypass normal access controls; this inference comes from the description of \u201cmissing authorization\u201d and typical plugin behavior. If the plugin is publicly accessible, attackers might first gather credentials or access the site to exploit the flaw."}}}}, "created": "2026-04-08T19:30:07.937716+00:00", "updated": "2026-04-13T14:25:21.569600+00:00", "vendors": ["aa_web_servant", "aa_web_servant$PRODUCT$12_step_meeting_list", "wordpress", "wordpress$PRODUCT$wordpress"]}