CVE-2026-39706

Vulnerability

Overview

The Make My Trivia plugin for WordPress, up to and including version 1.1.0, contains a Missing Authorization vulnerability. This is a type of Broken Access Control issue where the plugin fails to properly verify nonce tokens or user capabilities before executing privileged functions [1].

Attack

Vector

An unauthenticated attacker can exploit this by sending crafted requests to the plugin's endpoints that lack proper authorization checks. The vulnerability does not require any previous authentication or special network position [1]. This makes it trivially exploitable in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation allows an attacker to perform actions intended only for higher-privileged users, potentially including creating, modifying, or deleting arbitrary content or configuration settings. The CVSS score of 5.3 reflects the medium severity due to the low complexity and network attack vector [1].

Mitigation

The plugin vendor has not released a patched version. Users are strongly advised to update to version 1. If no update is available, the plugin should be removed or access restricted via web application firewall rules. Immediate action is recommended as these vulnerabilities are actively targeted in mass campaigns [1].