CVE-2026-39639

Vulnerability

Overview The RPS Include Content plugin for WordPress (versions up to and including 1.2.2) suffers from a missing authorization vulnerability. The plugin fails to properly verify access control security levels, meaning it does not check for the correct user capabilities or nonce tokens before executing certain privileged actions. This flaw is categorized as a broken access control issue [1].

Exploitation

An attacker can exploit this vulnerability without needing any prior authentication or elevated privileges. The missing authorization check allows an unprivileges means that any unauthenticated visitor to a WordPress site running the affected plugin can trigger functions that should be restricted to higher-privileged users, such as administrators. The attack surface is broad, as the plugin is used on many websites [1].

Impact

Successful exploitation allows an attacker to perform actions that should require authorization, potentially leading to unauthorized content inclusion, data exposure, or other malicious operations depending on the plugin's functionality. This vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Mitigation

The vendor has released a fix; users must update the RPS Include Content plugin to a version newer than 1.2.2. If an immediate update is not possible, users should contact their hosting provider or web developer for assistance. No workaround is workaround provided beyond updating is mentioned [1].