CVE-2026-42677

Vulnerability

The WP Document Revisions plugin for WordPress, in versions prior to 4.0.0, contains a broken access control vulnerability [2]. This flaw stems from a missing authorization check, which fails to properly validate user permissions or nonce tokens when executing specific plugin functions [2]. The vulnerability is present in the core plugin logic, making it reachable for any user capable of interacting with the affected functions [2].

Exploitation

An attacker does not require high-level privileges to exploit this vulnerability. By interacting with the vulnerable functions, an unprivileged user can bypass intended access control security levels [2]. The exploit sequence involves triggering the unprotected function, which the application incorrectly processes due to the lack of proper authorization validation [2].

Impact

Successful exploitation allows an unprivileged user to execute actions that should be restricted to higher-privileged users [2]. This can lead to unauthorized modification or management of documents within the system, potentially compromising the integrity and confidentiality of the document management workflow [2].

Mitigation

The vulnerability is addressed in version 4.0.0 of the WP Document Revisions plugin [2]. Users are strongly advised to update to version 4.0.0 or later immediately to resolve the security issue [2]. If an immediate update is not possible, site administrators should consult with their hosting provider or developer to implement temporary security mitigations [2].