CVE-2026-39593

Vulnerability

Overview The HAPPY plugin for WordPress (versions n/a through 1.0.10) suffers from a missing authorization vulnerability, classified as a Broken Access Control issue. The root cause is a failure to properly check permissions or nonce tokens in certain functions, enabling exploitation of incorrectly configured access control security levels [1].

Exploitation

Details An unauthenticated attacker can trigger the vulnerability remotely without any privileges. The attack vector is over the network and requires low complexity, as no user interaction or specialized conditions are needed. This makes it particularly suitable for mass exploitation campaigns against thousands of WordPress sites regardless of their size or traffic [1].

Impact

Successful exploitation allows an attacker to perform privileged actions that should be restricted, such as accessing or modifying protected resources. The CVSS v3 base score of 6.5 (Medium) reflects the moderate severity due to the potential for unauthorized access or data manipulation [1].

Mitigation

Status The vendor has released version 1.0.11 which resolves the vulnerability. Users are advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks, and the plugin can be set to auto-update for vulnerable plugins [1].