CVE-2026-39680

Vulnerability

Overview

The Diet Calorie Calculator plugin for WordPress (versions n/a through <= 1.1.1) contains a Missing Authorization vulnerability [1]. This flaw stems from incorrectly configured access control security levels, meaning the plugin fails to properly verify whether a user has the necessary privileges before allowing certain actions [1]. This is classified as a Broken Access Control issue, where a missing authorization, authentication, or nonce token check can lead to unprivileged users executing higher-privileged actions [1].

Exploitation

Prerequisites and Attack Vector

The vulnerability is exposed through the WordPress plugin's functions that lack proper authorization checks [1]. No authentication is required for exploitation, as the access control failure occurs at a level that does not enforce user identity verification. Attackers can target any site running the vulnerable plugin version without needing any prior credentials or specific network position, making it suitable for mass-exploit campaigns [1].

Potential

Impact

An attacker successfully exploiting this vulnerability can perform actions that should normally require higher privileges, such as accessing or modifying data, or executing administrative functions within the plugin's context [1]. Since no authentication is needed, the attack surface is broad, and the impact includes unauthorized manipulation of the calorie calculator functionality and potentially connected data.

Mitigation

Status

The recommended to immediately update the immediate update of the Diet Calorie Calculator plugin to a patched version [1]. Users who cannot update immediately should contact their hosting provider or web developer for assistance. The vulnerability is not listed as exploited in KEV, but given its use in mass campaigns, prioritizing the update is critical [1].