CVE-2026-39687

Vulnerability

Overview

CVE-2026-39687 is a missing authorization vulnerability in the Rapid Car Check Vehicle Data plugin for WordPress (free-vehicle-data-uk). The issue stems from incorrectly configured access control security levels, which can be exploited to bypass authorization checks [1]. The vulnerability affects all versions from n/a through 2.0.

Exploitation

Details

The flaw falls under the category of broken access control, meaning that the plugin fails to properly verify user permissions before allowing access to certain functions or data [1]. An attacker can exploit this issue without requiring authentication, as the access control mechanisms are not correctly implemented. This makes the vulnerability particularly dangerous for mass exploitation campaigns targeting WordPress websites.

Impact

A successful exploit allows an attacker to perform actions or access data that should be restricted to higher-privileged users. The CVSS v3 score of 5.3 (Medium) reflects the potential for unauthorized data access or privilege escalation without authentication [1]. The vulnerability is known to be used in broad automated attacks against thousands of sites regardless of size or popularity.

Mitigation

As of the publication date, users are advised to immediately update the plugin to a patched version if available [1]. If updating is not possible, temporary mitigations include consulting with a hosting provider or web developer to restrict access or disable the plugin until a fix is applied.