CVE-2026-39655

Vulnerability

The Mayosis Core plugin for WordPress versions from n/a through 5.4.7 contains a missing authorization vulnerability. The issue is classified as a broken access control flaw, meaning the plugin fails to properly verify that a user has the required permissions before allowing access to certain functions or data. This affects access control security levels that are incorrectly configured, enabling exploitation of insufficient authorization checks.

Exploitation

An attacker requires a valid WordPress user account at any privilege level, including the lowest (subscriber). The attacker can then craft requests to the vulnerable endpoints or functions that lack proper authorization checks, such as missing nonce tokens or capability verifications. No elevated permissions are needed; the attacker simply sends a malicious HTTP request to invoke a restricted action.

Impact

Successful exploitation allows an unprivileged user to perform actions or access data that should be reserved for higher-privileged roles (e.g., authors, editors, or administrators). The specific impact depends on the missing authorization context but could include modifying settings, accessing private data, or executing other restricted operations. The CVSS v3 base score is 5.3 (Medium), indicating moderate severity.

Mitigation

As of the reference publication date, users should update the Mayosis Core plugin to the latest patched version. The advisory [1] notes that vulnerabilities like this are used in mass-exploit campaigns, so immediate action is recommended. If unable to update, users should ask their hosting provider or web developer for help. No other workarounds are disclosed in the available references.