CVE-2026-39682

Vulnerability

Overview

The WordPress linkPizza-Manager plugin, developed by Arjan Pronk, contains a Missing Authorization vulnerability in versions up to and including 5.5.5 [1]. This flaw stems from incorrectly configured access control security levels, which means the plugin does not properly verify that a user has the necessary permissions before executing certain actions.

Exploitation

This broken access control issue can be exploited by unauthenticated attackers who have network access to a WordPress site running the vulnerable plugin [1]. The lack of authorization or nonce token checks in critical functions allows an unprivileged user to perform actions that are normally restricted to higher-privileged roles. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation could allow an attacker to execute privileged actions without proper authentication, potentially leading to unauthorized data access, modification, or other administrative-level operations [1]. The official CVSS base score for this vulnerability is 5.3 (Medium), with the vector emphasizing the low attack complexity and network-based attack vector.

Mitigation

As an immediate action, website administrators should update the linkPizza-Manager plugin to a patched version [1]. If updating is not possible, it is recommended to consult with a hosting provider or web developer for alternative protective measures [1]. Given the plugin's identified vulnerability, this issue may be included in known exploited vulnerability lists and should be prioritized for remediation.