CVE-2026-34886
Description
Unauthenticated broken access control in Simple Membership plugin <=4.7.1 allows unprivileged actions. Update to 4.7.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated broken access control in Simple Membership plugin <=4.7.1 allows unprivileged actions. Update to 4.7.2.
Vulnerability
The Simple Membership WordPress plugin versions 4.7.1 and earlier contain an unauthenticated broken access control vulnerability [1]. This means a missing authorization check allows unauthenticated users to perform higher privileged actions without proper authentication.
Exploitation
An unauthenticated attacker can exploit this vulnerability directly over the network without any user interaction. The specific function lacking a nonce or capability check is not detailed, but the vulnerability is reportedly used in mass-exploit campaigns, indicating ease of exploitation [1].
Impact
Successful exploitation can lead to unauthorized access to restricted functionality and actions intended for higher privileged users. The CVSS score is 7.5 (High), suggesting significant impact on confidentiality, integrity, or availability [1]. The assessor labels it low severity for WordPress, but the score indicates a serious risk.
Mitigation
The vulnerability is fixed in version 4.7.2 and later. Users should update immediately. If unable to update, consult hosting provider. Auto-update can be enabled for Patchstack users [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=4.7.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.