{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39563", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:32.434Z", "datePublished": "2026-04-08T08:30:18.659Z", "dateUpdated": "2026-04-10T16:51:23.407Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "share-this-image", "product": "Share This Image", "vendor": "ILLID", "versions": [{"changes": [{"at": "2.13", "status": "unaffected"}], "lessThanOrEqual": "2.12", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:53.396Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Share This Image: from n/a through <= 2.12.</p>"}], "value": "Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share This Image: from n/a through <= 2.12."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:18.659Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/share-this-image/vulnerability/wordpress-share-this-image-plugin-2-12-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Share This Image plugin <= 2.12 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T16:51:15.468446Z", "id": "CVE-2026-39563", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T16:51:23.407Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39563", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T16:51:15.468446Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T16:51:02.870Z"}}], "cna": {"title": "WordPress Share This Image plugin <= 2.12 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "ILLID", "product": "Share This Image", "versions": [{"status": "affected", "changes": [{"at": "2.13", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.12"}], "packageName": "share-this-image", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:53.396Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/share-this-image/vulnerability/wordpress-share-this-image-plugin-2-12-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share This Image: from n/a through <= 2.12.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Share This Image: from n/a through <= 2.12.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:18.659Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39563", "state": "PUBLISHED", "dateUpdated": "2026-04-10T16:51:23.407Z", "dateReserved": "2026-04-07T10:48:32.434Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:18.659Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share This Image: from n/a through <= 2.12."}], "id": "CVE-2026-39563", "lastModified": "2026-04-10T17:17:10.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:27.493", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/share-this-image/vulnerability/wordpress-share-this-image-plugin-2-12-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.12]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "2.13"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Share This Image", "source": "cna", "vendor": "ILLID"}, "product": "share_this_image", "vendor": "illid"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:50:36.910799+00:00", "value": {"mitigation_remediation": ["Upgrade the Share This Image plugin to a version newer than 2.12 if an upgrade is available. If no newer version exists, consider disabling or removing the plugin from the WordPress installation. After mitigation, review site content, logs and user permissions to ensure no unauthorized changes were made. Maintain regular monitoring for unusual activity."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Any WordPress site that uses the Share This Image plugin with a version up to and including 2.12 is affected. The issue impacts all installations of the plugin within that version range regardless of other security controls.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows attackers to perform actions within the Share This Image plugin that should be restricted to authorized users. By sending crafted requests to the plugin\u2019s endpoints, an attacker could access, modify or delete content or settings that otherwise would be protected. This weakness could lead to data compromise or unwanted changes without needing authentication.", "risk_and_exploitability": "No CVSS score or EPSS value is provided, and the vulnerability is not listed in the CISA KEV catalog. The flaw is likely exploitable over the web, requiring the ability to send HTTP requests to the plugin\u2019s endpoints. The absence of access controls means that any user who can reach those endpoints can perform privileged actions, making the risk high. Information about successful exploits is not publicly reported, but the design flaw makes it straightforward for an attacker with network access to exploit this vulnerability."}}}}, "created": "2026-04-08T19:30:13.008288+00:00", "updated": "2026-04-08T19:42:32.147013+00:00", "vendors": ["illid", "illid$PRODUCT$share_this_image", "wordpress", "wordpress$PRODUCT$wordpress"]}