{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39588", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:44.714Z", "datePublished": "2026-04-08T08:30:21.468Z", "dateUpdated": "2026-04-29T09:52:02.195Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "nm-gift-registry-and-wishlist-lite", "product": "NM Gift Registry and Wishlist Lite", "vendor": "nmerii", "versions": [{"changes": [{"at": "5.14", "status": "unaffected"}], "lessThanOrEqual": "5.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:55.480Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in nmerii NM Gift Registry and Wishlist Lite nm-gift-registry-and-wishlist-lite allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects NM Gift Registry and Wishlist Lite: from n/a through <= 5.13.</p>"}], "value": "Missing Authorization vulnerability in nmerii NM Gift Registry and Wishlist Lite nm-gift-registry-and-wishlist-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NM Gift Registry and Wishlist Lite: from n/a through <= 5.13."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:02.195Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/nm-gift-registry-and-wishlist-lite/vulnerability/wordpress-nm-gift-registry-and-wishlist-lite-plugin-5-13-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress NM Gift Registry and Wishlist Lite plugin <= 5.13 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T18:38:53.220695Z", "id": "CVE-2026-39588", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T19:36:12.989Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39588", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T18:38:53.220695Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:20:04.695Z"}}], "cna": {"title": "WordPress NM Gift Registry and Wishlist Lite plugin <= 5.13 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "nmerii", "product": "NM Gift Registry and Wishlist Lite", "versions": [{"status": "affected", "changes": [{"at": "5.14", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "5.13"}], "packageName": "nm-gift-registry-and-wishlist-lite", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:55.480Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/nm-gift-registry-and-wishlist-lite/vulnerability/wordpress-nm-gift-registry-and-wishlist-lite-plugin-5-13-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in nmerii NM Gift Registry and Wishlist Lite nm-gift-registry-and-wishlist-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NM Gift Registry and Wishlist Lite: from n/a through <= 5.13.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in nmerii NM Gift Registry and Wishlist Lite nm-gift-registry-and-wishlist-lite allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects NM Gift Registry and Wishlist Lite: from n/a through <= 5.13.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:21.468Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39588", "state": "PUBLISHED", "dateUpdated": "2026-04-13T19:36:12.989Z", "dateReserved": "2026-04-07T10:48:44.714Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:21.468Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in nmerii NM Gift Registry and Wishlist Lite nm-gift-registry-and-wishlist-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NM Gift Registry and Wishlist Lite: from n/a through <= 5.13."}], "id": "CVE-2026-39588", "lastModified": "2026-04-24T18:07:25.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:29.063", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/nm-gift-registry-and-wishlist-lite/vulnerability/wordpress-nm-gift-registry-and-wishlist-lite-plugin-5-13-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.13]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "NM Gift Registry and Wishlist Lite", "source": "cna", "vendor": "nmerii"}, "product": "nm_gift_registry_and_wishlist_lite", "vendor": "nmerii"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T20:59:50.601545+00:00", "value": {"mitigation_remediation": ["Update the NM Gift Registry and Wishlist Lite plugin to a version newer than 5.13", "If an update is unavailable, remove or disable the plugin from the WordPress installation", "Verify that all access levels within the plugin\u2019s settings enforce proper user permissions", "Monitor log files for anomalous access attempts to registry or wishlist data"], "summary": {"action": "Patch", "impact": "Unauthorized Access to Plugin Data"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the nmerii NM Gift Registry and Wishlist Lite plugin for WordPress, versions from the earliest available up to and including 5.13. Users of any earlier minor releases in the 5.x line are also susceptible.", "description_and_impact": "A missing authorization check in the NM Gift Registry and Wishlist Lite WordPress plugin allows an attacker to bypass intended security controls. Exploiting this flaw can enable reading or manipulating registry and wishlist data that should be restricted to authorized users only. The weakness is a classic broken access control, matching CWE\u2011862.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, and the low EPSS score (<1%) suggests a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation would require access to a WordPress site running the affected plugin, and an attacker could leverage existing authenticated accounts or insufficiently protected endpoints to gain unauthorized access. Because the vulnerability stems from missing access checks rather than an arbitrary input flaw, it does not immediately lead to code execution but can still compromise data confidentiality and integrity."}}}}, "created": "2026-04-08T19:29:59.753968+00:00", "updated": "2026-04-14T16:39:46.111779+00:00", "vendors": ["nmerii", "nmerii$PRODUCT$nm_gift_registry_and_wishlist_lite", "wordpress", "wordpress$PRODUCT$wordpress"]}