{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39528", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:09.605Z", "datePublished": "2026-04-08T08:30:16.548Z", "dateUpdated": "2026-04-10T16:55:44.220Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "delicious-recipes", "product": "WP Delicious", "vendor": "WP Delicious", "versions": [{"changes": [{"at": "1.9.6", "status": "unaffected"}], "lessThanOrEqual": "1.9.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "hhhai | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:59.373Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recipes allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Delicious: from n/a through <= 1.9.5.</p>"}], "value": "Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recipes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Delicious: from n/a through <= 1.9.5."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:16.548Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/delicious-recipes/vulnerability/wordpress-wp-delicious-plugin-1-9-5-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Delicious plugin <= 1.9.5 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T16:55:40.750530Z", "id": "CVE-2026-39528", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T16:55:44.220Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39528", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T16:55:40.750530Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T16:55:33.135Z"}}], "cna": {"title": "WordPress WP Delicious plugin <= 1.9.5 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "hhhai | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "WP Delicious", "product": "WP Delicious", "versions": [{"status": "affected", "changes": [{"at": "1.9.6", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.9.5"}], "packageName": "delicious-recipes", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:59.373Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/delicious-recipes/vulnerability/wordpress-wp-delicious-plugin-1-9-5-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recipes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Delicious: from n/a through <= 1.9.5.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recipes allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Delicious: from n/a through <= 1.9.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:16.548Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39528", "state": "PUBLISHED", "dateUpdated": "2026-04-10T16:55:44.220Z", "dateReserved": "2026-04-07T10:48:09.605Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:16.548Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recipes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Delicious: from n/a through <= 1.9.5."}], "id": "CVE-2026-39528", "lastModified": "2026-04-10T17:17:09.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:26.077", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/delicious-recipes/vulnerability/wordpress-wp-delicious-plugin-1-9-5-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.9.5]"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "WP Delicious", "source": "cna", "vendor": "WP Delicious"}, "product": "wp_delicious", "vendor": "wpdelicious"}], "analysis": {"en": {"generated_at": "2026-04-08T09:53:26.845584+00:00", "value": {"mitigation_remediation": ["Upgrade WP Delicious to a version newer than 1.9.5", "If upgrade is not immediately possible, disable the plugin or remove unauthenticated access", "Monitor the site for signs of unauthorized activity"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "Any WordPress installation using the WP Delicious plugin version 1.9.5 or earlier, including all releases from its initial release through 1.9.5, is affected. The plugin is developed by WP Delicious.", "description_and_impact": "WP Delicious is a WordPress plugin that provides recipe management features. The plugin contains a missing authorization flaw that leads to broken access control. As a result, attackers can gain unauthorized access to plugin administrative functions or data without proper authentication, potentially manipulating or reading sensitive content.", "risk_and_exploitability": "Security analysts regard missing authorization issues as a critical threat because they allow attackers full control over protected resources. The CVE provides no CVSS score or EPSS probability, but the absence of proper permission checks is a high\u2011severity flaw. The problem appears to be exploitable via web requests to the plugin\u2019s endpoints; the attack vector is likely a remote, authenticated or unauthenticated web request that bypasses role checks. The vulnerability is not yet listed in the CISA KEV catalog."}}}}, "created": "2026-04-08T19:30:26.455918+00:00", "updated": "2026-04-08T19:42:43.254846+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdelicious", "wpdelicious$PRODUCT$wp_delicious"]}