{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39610", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:55.140Z", "datePublished": "2026-04-08T08:30:23.579Z", "dateUpdated": "2026-04-29T09:52:02.574Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpxmas-snow", "product": "WpXmas-Snow", "vendor": "Pankaj Kumar", "versions": [{"lessThanOrEqual": "1.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:33.625Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WpXmas-Snow: from n/a through <= 1.1.</p>"}], "value": "Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpXmas-Snow: from n/a through <= 1.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:02.574Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpxmas-snow/vulnerability/wordpress-wpxmas-snow-plugin-1-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WpXmas-Snow plugin <= 1.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T18:37:21.981762Z", "id": "CVE-2026-39610", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T19:33:56.695Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39610", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T18:37:21.981762Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:19:43.359Z"}}], "cna": {"title": "WordPress WpXmas-Snow plugin <= 1.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Pankaj Kumar", "product": "WpXmas-Snow", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.1"}], "packageName": "wpxmas-snow", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:33.625Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wpxmas-snow/vulnerability/wordpress-wpxmas-snow-plugin-1-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpXmas-Snow: from n/a through <= 1.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WpXmas-Snow: from n/a through <= 1.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:23.579Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39610", "state": "PUBLISHED", "dateUpdated": "2026-04-13T19:33:56.695Z", "dateReserved": "2026-04-07T10:48:55.140Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:23.579Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpXmas-Snow: from n/a through <= 1.1."}], "id": "CVE-2026-39610", "lastModified": "2026-04-24T18:06:58.907", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:30.440", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpxmas-snow/vulnerability/wordpress-wpxmas-snow-plugin-1-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WpXmas-Snow", "source": "cna", "vendor": "Pankaj Kumar"}, "product": "wpxmas-snow", "vendor": "pankaj_kumar"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T21:51:44.132820+00:00", "value": {"mitigation_remediation": ["Upgrade the WpXmas\u2011Snow plugin to version\u00a01.2 or later if available; if not, remove the plugin from the site until an update is released.", "If removal is not possible, configure the WordPress role system to restrict access to the plugin\u2019s administrative pages to administrators only.", "Verify that no protected endpoints are exposed to non\u2011administrator users by reviewing user permissions and adjusting the plugin\u2019s access controls as needed."], "summary": {"action": "Patch Now", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The flaw affects all installations of WpXmas\u2011Snow by Pankaj Kumar from the initial release up to version\u00a01.1. Any WordPress site that has one of these versions deployed is at risk.", "description_and_impact": "A missing authorization check in the WordPress WpXmas\u2011Snow plugin allows attackers to bypass access controls and perform operations normally reserved for privileged users. The vulnerability, classified as CWE\u2011862, enables browsing, modifying or deleting content and changing plugin settings, effectively granting unauthorized administrative capabilities.", "risk_and_exploitability": "The CVSS score of 5.3 reflects moderate severity, while the EPSS score of less than 1% indicates that exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited public exploitation. Based on the description, the attack vector is likely the web interface where a standard authenticated user accesses a protected endpoint without proper authorization. The impact is confined to the compromised WordPress installation but can be significant if sensitive content or configuration is present."}}}}, "created": "2026-04-08T19:29:50.091627+00:00", "updated": "2026-04-14T16:39:40.700614+00:00", "vendors": ["pankaj_kumar", "pankaj_kumar$PRODUCT$wpxmas-snow", "wordpress", "wordpress$PRODUCT$wordpress"]}