CVE-2026-39713

The Mailercloud – Integrate webforms and synchronize website contacts plugin for WordPress (versions up to and including 1.0.7) contains a missing authorization vulnerability. This is a broken access control issue where certain functions are executed without verifying that the requesting user has the necessary privileges or a valid nonce token [1]. The root cause is an incorrectly configured access control security level, allowing requests that should require higher-level permissions to be processed by any user (or even unauthenticated visitors).

Exploitation requires no authentication, making the attack surface broad. An attacker can send crafted HTTP requests to the vulnerable endpoints, triggering actions that should be restricted to authorized administrators. The official advisory from Patchstack notes that such vulnerabilities are commonly used in mass-exploit campaigns against thousands of WordPress sites regardless of size or popularity [1]. The CVSS v3 base score of 5.3 (Medium) reflects the relatively low attack complexity and network-based vector.

The impact is that an unprivileged (or unauthenticated) attacker can exploit the missing authorization to perform unauthorized operations within the plugin's scope. This could include modifying webform integrations or contact synchronization settings, potentially leading to data leakage or further compromise [1].

As a mitigation, the vendor recommends immediately updating the plugin to a patched version. If updating is not possible, users should contact their hosting provider or a WordPress security expert for assistance [1]. No evidence of official patches beyond the affected version 1.0.7 is cited, so upgrading beyond that range is advised.