{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39561", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:26.893Z", "datePublished": "2026-04-08T08:30:18.238Z", "dateUpdated": "2026-04-10T16:54:06.548Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "revive-so", "product": "Revive.so", "vendor": "WP Chill", "versions": [{"changes": [{"at": "2.0.8", "status": "unaffected"}], "lessThanOrEqual": "2.0.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Sharief | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:53.498Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in WP Chill Revive.so revive-so allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Revive.so: from n/a through <= 2.0.7.</p>"}], "value": "Missing Authorization vulnerability in WP Chill Revive.so revive-so allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive.so: from n/a through <= 2.0.7."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:18.238Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/revive-so/vulnerability/wordpress-revive-so-plugin-2-0-7-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Revive.so plugin <= 2.0.7 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T16:53:22.110126Z", "id": "CVE-2026-39561", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T16:54:06.548Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39561", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T16:53:22.110126Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T16:53:16.150Z"}}], "cna": {"title": "WordPress Revive.so plugin <= 2.0.7 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Sharief | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "WP Chill", "product": "Revive.so", "versions": [{"status": "affected", "changes": [{"at": "2.0.8", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0.7"}], "packageName": "revive-so", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:53.498Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/revive-so/vulnerability/wordpress-revive-so-plugin-2-0-7-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP Chill Revive.so revive-so allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive.so: from n/a through <= 2.0.7.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in WP Chill Revive.so revive-so allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Revive.so: from n/a through <= 2.0.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:18.238Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39561", "state": "PUBLISHED", "dateUpdated": "2026-04-10T16:54:06.548Z", "dateReserved": "2026-04-07T10:48:26.893Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:18.238Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP Chill Revive.so revive-so allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive.so: from n/a through <= 2.0.7."}], "id": "CVE-2026-39561", "lastModified": "2026-04-10T17:17:09.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:27.210", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/revive-so/vulnerability/wordpress-revive-so-plugin-2-0-7-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.7]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.0.8,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Revive.so", "source": "cna", "vendor": "WP Chill"}, "product": "revive.so", "vendor": "wp_chill"}], "analysis": {"en": {"generated_at": "2026-04-08T11:08:42.934878+00:00", "value": {"mitigation_remediation": ["Update the Revive.so plugin to version\u00a02.0.8 or later to eliminate the access\u2011control issue.", "If immediate update is not possible, restrict the plugin\u2019s administrative URLs to users with appropriate WordPress roles, for example by configuring .htaccess rules or using a role\u2011based access control plugin.", "Consider disabling or uninstalling the Revive.so plugin if it is not essential to your site\u2019s functionality."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Revive.so WordPress plugin distributed by WP Chill. All installations running version\u00a02.0.7 or earlier are susceptible, while newer releases are presumed to contain the fix.", "description_and_impact": "A missing authorization check in the WP Chill Revive.so plugin lets an attacker bypass safeguards that normally confine certain actions to privileged users. Exploiting this flaw can enable an attacker to execute operations reserved for administrators, such as modifying or deleting content, accessing sensitive information, or taking control of site functionality. The weakness is classified as CWE\u2011862, a typical broken access control issue.", "risk_and_exploitability": "The CVE record lacks explicit CVSS or EPSS data, yet the straightforward authorization bypass suggests a high likelihood of successful exploitation. Off\u2011the\u2011shelf, an attacker can send crafted HTTP requests to the plugin\u2019s endpoints; no additional privileges or complex conditions are required, making the flaw broadly exploitable. The absence of a listing in the CISA KEV catalog does not reduce the threat to affected sites."}}}}, "created": "2026-04-08T19:30:16.346687+00:00", "updated": "2026-04-08T19:42:34.405418+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wp_chill", "wp_chill$PRODUCT$revive.so"]}