CVE-2026-39685

Vulnerability

Overview The Moneytizer WordPress plugin versions up to and including 10.0.10 contain a missing authorization vulnerability. This broken access control issue stems from incorrectly configured access control security levels, meaning the plugin fails to properly verify user permissions before allowing certain actions [1].

Exploitation

Exploitation

Attackers can exploit this vulnerability without authentication, as the missing authorization check allows any unauthenticated user to access higher-privileged functions. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

Impact

Successful exploitation enables an attacker to perform actions that should be restricted to higher-privileged users, potentially leading to site compromise, data exposure, or further attacks. The CVSS v3 base score of 5.3 (Medium) reflects the moderate severity of this broken access control issue [1].

Mitigation

The vendor has not released a patched version beyond 10.0.10 at the time of publication. Users are strongly advised to update the plugin immediately if a fix becomes available. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended [1].