{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40728", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-15T09:19:20.453Z", "datePublished": "2026-04-15T10:21:33.433Z", "dateUpdated": "2026-04-29T09:52:04.761Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "magazine-blocks", "product": "Magazine Blocks", "vendor": "BlockArt", "versions": [{"changes": [{"at": "1.8.4", "status": "unaffected"}], "lessThanOrEqual": "1.8.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-15T12:20:45.325Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in BlockArt Magazine Blocks magazine-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Magazine Blocks: from n/a through <= 1.8.3.</p>"}], "value": "Missing Authorization vulnerability in BlockArt Magazine Blocks magazine-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Blocks: from n/a through <= 1.8.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:04.761Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/magazine-blocks/vulnerability/wordpress-magazine-blocks-plugin-1-8-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Magazine Blocks plugin <= 1.8.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T15:36:10.871819Z", "id": "CVE-2026-40728", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:36:33.255Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-40728", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T15:36:10.871819Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T15:35:52.202Z"}}], "cna": {"title": "WordPress Magazine Blocks plugin <= 1.8.3 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "BlockArt", "product": "Magazine Blocks", "versions": [{"status": "affected", "changes": [{"at": "1.8.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.8.3"}], "packageName": "magazine-blocks", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-15T12:20:45.325Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/magazine-blocks/vulnerability/wordpress-magazine-blocks-plugin-1-8-3-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in BlockArt Magazine Blocks magazine-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Blocks: from n/a through <= 1.8.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in BlockArt Magazine Blocks magazine-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Magazine Blocks: from n/a through <= 1.8.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:04.761Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40728", "state": "PUBLISHED", "dateUpdated": "2026-04-29T09:52:04.761Z", "dateReserved": "2026-04-15T09:19:20.453Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-15T10:21:33.433Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in BlockArt Magazine Blocks magazine-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Blocks: from n/a through <= 1.8.3."}], "id": "CVE-2026-40728", "lastModified": "2026-04-29T10:17:44.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-15T11:16:35.560", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/magazine-blocks/vulnerability/wordpress-magazine-blocks-plugin-1-8-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.3]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.8.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Magazine Blocks", "source": "cna", "vendor": "BlockArt"}, "product": "magazine_blocks", "vendor": "blockart"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T22:23:36.815551+00:00", "value": {"mitigation_remediation": ["Upgrade the Magazine Blocks plugin to the latest publicly released version", "Configure all plugin administrative pages to enforce the Administrator role", "Apply firewall or .htaccess rules that restrict direct access to plugin configuration URLs to trusted IPs or authenticated administrators", "Audit any custom theme or plugin code that calls Magazine Blocks functions and add explicit permission checks to ensure only authorized roles may execute privileged actions", "Monitor site logs for unauthorized attempts to access plugin settings"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access to plugin features enabling privilege escalation"}, "threat_synthesis": {"affected_systems": "The issue applies to all installations of BlockArt Magazine Blocks plugin version 1.8.3 and earlier. WordPress sites that have not yet upgraded to a patched release are vulnerable. No other vendors or products are listed in the CNA data.", "description_and_impact": "The BlockArt Magazine Blocks plugin contains a missing authorization check that allows users to exploit incorrectly configured access control levels. This flaw permits an attacker to perform actions restricted to administrators, such as altering plugin settings or manipulating content blocks. The vulnerability is classified as CWE\u2011862, indicating broken access control, and is not known to provide arbitrary code execution but does compromise site integrity and operational control.", "risk_and_exploitability": "The CVSS score is 4.3 and the EPSS score is <\u202f1\u202f%. The vulnerability is not listed in CISA\u2019s KEV catalog. Although no exploitation examples are publicly documented, the flaw could allow privilege escalation within a WordPress site if an attacker has access to a user account that can reach the plugin\u2019s administrative interfaces. Based on the description, the likely attack vector involves an authenticated user engaging with the plugin\u2019s management pages, as the missing authorization check permits actions that should be restricted to administrators. The potential impact includes unauthorized modification of plugin settings or content blocks, compromising site integrity and operational control."}}}}, "created": "2026-04-15T13:49:14.854558+00:00", "updated": "2026-04-15T22:30:16.067393+00:00", "vendors": ["blockart", "blockart$PRODUCT$magazine_blocks", "wordpress", "wordpress$PRODUCT$wordpress"]}