{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25309", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:20:39.016Z", "datePublished": "2026-03-25T16:14:39.628Z", "dateUpdated": "2026-03-27T14:47:57.176Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "publishpress-authors", "product": "PublishPress Authors", "vendor": "PublishPress", "versions": [{"changes": [{"at": "4.11.0", "status": "unaffected"}], "lessThanOrEqual": "<= 4.10.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:20.626Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects PublishPress Authors: from n/a through <= 4.10.1.</p>"}], "value": "Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Authors: from n/a through <= 4.10.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:39.628Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/publishpress-authors/vulnerability/wordpress-publishpress-authors-plugin-4-10-1-broken-access-control-vulnerability-2?_s_id=cve"}], "title": "WordPress PublishPress Authors plugin <= 4.10.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T14:47:16.686749Z", "id": "CVE-2026-25309", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:47:57.176Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25309", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T14:47:16.686749Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:46:35.274Z"}}], "cna": {"title": "WordPress PublishPress Authors plugin <= 4.10.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "PublishPress", "product": "PublishPress Authors", "versions": [{"status": "affected", "changes": [{"at": "4.11.0", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 4.10.1"}], "packageName": "publishpress-authors", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:20.626Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/publishpress-authors/vulnerability/wordpress-publishpress-authors-plugin-4-10-1-broken-access-control-vulnerability-2?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Authors: from n/a through <= 4.10.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects PublishPress Authors: from n/a through <= 4.10.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:39.628Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25309", "state": "PUBLISHED", "dateUpdated": "2026-03-27T14:47:57.176Z", "dateReserved": "2026-02-02T12:20:39.016Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:39.628Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Authors: from n/a through <= 4.10.1."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n Faltante en PublishPress PublishPress Authors publishpress-authors permite Explotar Niveles de Seguridad de Control de Acceso Configurados Incorrectamente. Este problema afecta a PublishPress Authors: desde n/a hasta &lt;= 4.10.1."}], "id": "CVE-2026-25309", "lastModified": "2026-03-27T15:16:49.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:43.800", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/publishpress-authors/vulnerability/wordpress-publishpress-authors-plugin-4-10-1-broken-access-control-vulnerability-2?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.10.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "PublishPress Authors", "source": "cna", "vendor": "PublishPress"}, "product": "publishpress_authors", "vendor": "publishpress"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T19:01:04.501759+00:00", "value": {"mitigation_remediation": ["Upgrade the PublishPress Authors plugin to version\u202f4.10.2 or later.", "Temporarily disable the PublishPress Authors plugin until a patch can be applied.", "Ensure that only trusted users have any level of access to the WordPress admin panel and limit role capabilities to the minimum required."], "summary": {"action": "Apply Patch", "impact": "Unauthorized access to author management functions"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the PublishPress Authors plugin for WordPress in all releases up to and including version\u202f4.10.1. Any WordPress site that has installed the plugin at or below this version is vulnerable. The plugin is distributed by PublishPress as part of the PublishPress Authors suite.", "description_and_impact": "The PublishPress Authors plugin for WordPress contains a missing authorization flaw that permits unauthorized users to access its author management functions. Identified as CWE\u2011862, the vulnerability allows an attacker to modify or delete author information without legitimate permission, potentially facilitating privilege escalation within the site. The flaw arises from incorrectly configured access control security levels, meaning that even users with limited roles could exploit the issue if the plugin does not enforce proper checks.", "risk_and_exploitability": "No CVSS or EPSS score is provided, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector involves an authenticated WordPress user, even with a low\u2011privilege role, interacting with the plugin\u2019s administrative interface or API. Because the flaw enables unauthorized changes to author data, the potential impact is moderate to high: it can compromise content attribution, disrupt author navigation, and possibly form a foothold for further privilege escalation. Sites with the affected plugin should address the issue promptly."}}}}, "created": "2026-03-25T21:34:06.966542+00:00", "updated": "2026-03-26T11:39:22.232931+00:00", "vendors": ["publishpress", "publishpress$PRODUCT$publishpress_authors", "wordpress", "wordpress$PRODUCT$wordpress"]}