{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39639", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:43.491Z", "datePublished": "2026-04-08T08:30:31.738Z", "dateUpdated": "2026-04-09T15:53:34.788Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "rps-include-content", "product": "RPS Include Content", "vendor": "redpixelstudios", "versions": [{"lessThanOrEqual": "1.2.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "\uad8c\ubbfc\uc131 | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:36.108Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in redpixelstudios RPS Include Content rps-include-content allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects RPS Include Content: from n/a through <= 1.2.2.</p>"}], "value": "Missing Authorization vulnerability in redpixelstudios RPS Include Content rps-include-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RPS Include Content: from n/a through <= 1.2.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:31.738Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/rps-include-content/vulnerability/wordpress-rps-include-content-plugin-1-2-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress RPS Include Content plugin <= 1.2.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T15:52:42.738284Z", "id": "CVE-2026-39639", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:53:34.788Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39639", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T15:52:42.738284Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:52:06.662Z"}}], "cna": {"title": "WordPress RPS Include Content plugin <= 1.2.2 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "\uad8c\ubbfc\uc131 | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "redpixelstudios", "product": "RPS Include Content", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2.2"}], "packageName": "rps-include-content", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:36.108Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/rps-include-content/vulnerability/wordpress-rps-include-content-plugin-1-2-2-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in redpixelstudios RPS Include Content rps-include-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RPS Include Content: from n/a through <= 1.2.2.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in redpixelstudios RPS Include Content rps-include-content allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects RPS Include Content: from n/a through <= 1.2.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:31.738Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39639", "state": "PUBLISHED", "dateUpdated": "2026-04-09T15:53:34.788Z", "dateReserved": "2026-04-07T10:57:43.491Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:31.738Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in redpixelstudios RPS Include Content rps-include-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RPS Include Content: from n/a through <= 1.2.2."}], "id": "CVE-2026-39639", "lastModified": "2026-04-09T16:16:28.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:34.670", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/rps-include-content/vulnerability/wordpress-rps-include-content-plugin-1-2-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.2.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "RPS Include Content", "source": "cna", "vendor": "redpixelstudios"}, "product": "rps_include_content", "vendor": "redpixelstudios"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:09:22.578689+00:00", "value": {"mitigation_remediation": ["Update the RPS Include Content plugin to a version newer than 1.2.2", "If an immediate update is not feasible, disable the plugin until an update is applied", "Verify the plugin\u2019s access control settings to ensure that only authorized users can include content", "Consider implementing additional Web Application Firewall rules to block unauthorized inclusion requests"], "summary": {"action": "Update Plugin", "impact": "Unauthorized content inclusion"}, "threat_synthesis": {"affected_systems": "RedPixelStudios RPS Include Content plugin versions up to and including 1.2.2 are affected. The issue applies to all installations of the plugin up to version 1.2.2, regardless of the WordPress core version, and the vulnerability is present from earlier releases through the stated maximum version.", "description_and_impact": "The RPS Include Content plugin for WordPress has a Missing Authorization flaw that allows an attacker to include content without proper access controls. This broken access control can lead to the unauthorized disclosure or manipulation of website content, exposing sensitive data or enabling further exploitation. The weakness is classified as CWE\u2011862, indicating an authorization failure. The CVE description specifically notes that incorrectly configured security levels enable exploitation, underscoring the risk of insufficient privilege checks.", "risk_and_exploitability": "The CVE lacks an official CVSS score and the EPSS score is unavailable, so the exact severity measure is unknown. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated user exploiting incorrect access control settings, though the precise conditions are not detailed. Because the flaw permits arbitrary content inclusion, an attacker who can trigger the vulnerable function could read or embed sensitive files or viewpoints, potentially compromising the confidentiality or integrity of the site. The absence of exploitability metrics suggests the risk is contingent on configuration but could be significant for sites with permissive settings."}}}}, "created": "2026-04-08T19:29:22.595943+00:00", "updated": "2026-04-08T19:41:36.094316+00:00", "vendors": ["redpixelstudios", "redpixelstudios$PRODUCT$rps_include_content", "wordpress", "wordpress$PRODUCT$wordpress"]}