{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39605", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:55.140Z", "datePublished": "2026-04-08T08:30:22.401Z", "dateUpdated": "2026-04-10T16:39:35.893Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "super-custom-login", "product": "Super Custom Login", "vendor": "Obadiah", "versions": [{"lessThanOrEqual": "1.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:33.634Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Obadiah Super Custom Login super-custom-login allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Super Custom Login: from n/a through <= 1.1.</p>"}], "value": "Missing Authorization vulnerability in Obadiah Super Custom Login super-custom-login allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Custom Login: from n/a through <= 1.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:22.401Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/super-custom-login/vulnerability/wordpress-super-custom-login-plugin-1-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Super Custom Login plugin <= 1.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T16:38:32.823047Z", "id": "CVE-2026-39605", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T16:39:35.893Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39605", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T16:38:32.823047Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T16:38:25.660Z"}}], "cna": {"title": "WordPress Super Custom Login plugin <= 1.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Obadiah", "product": "Super Custom Login", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.1"}], "packageName": "super-custom-login", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:33.634Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/super-custom-login/vulnerability/wordpress-super-custom-login-plugin-1-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Obadiah Super Custom Login super-custom-login allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Custom Login: from n/a through <= 1.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Obadiah Super Custom Login super-custom-login allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Super Custom Login: from n/a through <= 1.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:22.401Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39605", "state": "PUBLISHED", "dateUpdated": "2026-04-10T16:39:35.893Z", "dateReserved": "2026-04-07T10:48:55.140Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:22.401Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Obadiah Super Custom Login super-custom-login allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Custom Login: from n/a through <= 1.1."}], "id": "CVE-2026-39605", "lastModified": "2026-04-10T17:17:10.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:29.757", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/super-custom-login/vulnerability/wordpress-super-custom-login-plugin-1-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Super Custom Login", "source": "cna", "vendor": "Obadiah"}, "product": "super_custom_login", "vendor": "obadiah"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:44:39.462480+00:00", "value": {"mitigation_remediation": ["Update the Super Custom Login plugin to a version newer than 1.1", "Verify that access control settings are correctly configured after the update", "If plugin update is not immediately possible, disable or remove the plugin to eliminate the attack surface", "Restrict administrative access to trusted users and enable two\u2011factor authentication on WordPress admin pages"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Obadiah Super Custom Login plugin version 1.1 or earlier are affected. The vulnerability applies to all releases in this range, regardless of configuration, until the plugin is updated beyond 1.1.", "description_and_impact": "The vulnerability is a missing authorization flaw in the Super Custom Login WordPress plugin that allows an attacker to exploit incorrectly configured access control security levels. Because the plugin does not enforce proper checks, unauthenticated or insufficiently privileged users could potentially access or modify settings, view sensitive information, or perform administrative actions that should be restricted. The impact is a direct loss of confidentiality, integrity, or availability of the website\u2019s configuration and possibly user data.", "risk_and_exploitability": "The available data does not include a CVSS score or EPSS value, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a web-based exploitation path through the plugin\u2019s login or configuration interfaces, given that access control checks are missing. An attacker would need to have some form of access to the site, possibly an existing user account or the ability to send crafted requests, and would exploit the lack of authorization controls to elevate privileges within the WordPress environment."}}}}, "created": "2026-04-08T19:29:55.503380+00:00", "updated": "2026-04-08T19:42:13.036540+00:00", "vendors": ["obadiah", "obadiah$PRODUCT$super_custom_login", "wordpress", "wordpress$PRODUCT$wordpress"]}