CVE-2026-27362

Vulnerability

Analysis

CVE-2026-27362 is a missing authorization vulnerability in the WP Bakery Autoresponder Addon plugin for WordPress, specifically in versions up to and including 1.0.6. The plugin fails to properly enforce access controls, allowing an attacker to exploit incorrectly configured access control security levels. This broken access control issue means that functions which should require higher privileges or authentication are accessible without proper checks [1].

Exploitation

The vulnerability can be exploited by sending crafted requests to endpoints that lack authorization checks. No authentication is needed, and the attack surface includes any unprivileged user or even unauthenticated visitors. The Patchstack advisory highlights that such flaws are commonly used in mass-exploit campaigns, targeting thousands of WordPress sites regardless of size or popularity [1].

Impact

An attacker exploiting this flaw can perform actions reserved for higher-privileged roles, such as modifying plugin settings, accessing sensitive data, or escalating privileges further within the WordPress environment. This could lead to site compromise, data leakage, or unauthorized changes to the site’s functionality.

Mitigation

The immediate recommended action is to update the WP Bakery Autoresponder Addon plugin to a patched version (beyond 1.0.6). If updating is not possible, site administrators should consult their hosting provider or a web developer for assistance in applying workarounds. The vulnerability is considered moderately dangerous and is expected to be actively exploited [1].