CVE-2026-40728
Description
Missing Authorization vulnerability in BlockArt Magazine Blocks magazine-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Blocks: from n/a through <= 1.8.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in WordPress Magazine Blocks plugin up to version 1.8.3 allows unauthenticated or low-privileged attackers to exploit access control flaws, potentially enabling unauthorized actions.
Vulnerability
Description The vulnerability concerns a missing authorization check in the WordPress Magazine Blocks plugin (versions up to 1.8.3). The root cause is an incorrectly configured access control security level, allowing functions to be executed without proper authentication or nonce verification [1].
Exploitation
Attackers exploiting this issue do not require high privileges; unprivileged users can perform actions intended for higher-privileged roles. The vulnerability is leveraged in mass-exploit campaigns, targeting many websites regardless of size or popularity [1].
Impact
A successful exploit enables an attacker to perform unauthorized actions due to broken access control. While CVSS v3 scores the issue as 4.3 (medium severity), the vendor notes that exploitation in the WordPress ecosystem may be practical, and automated scanning exists [1].
Mitigation
The vulnerability is fixed in version 1.8.4 of the plugin. Users are strongly advised to update immediately. For those using Patchstack, auto-updates for vulnerable plugins can be enabled [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <= 1.8.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.