{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39685", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:10.483Z", "datePublished": "2026-04-08T08:30:42.864Z", "dateUpdated": "2026-04-08T08:30:42.864Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "the-moneytizer", "product": "The Moneytizer", "vendor": "lvaudore", "versions": [{"lessThanOrEqual": "10.0.10", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:43.052Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in lvaudore The Moneytizer the-moneytizer allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects The Moneytizer: from n/a through <= 10.0.10.</p>"}], "value": "Missing Authorization vulnerability in lvaudore The Moneytizer the-moneytizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Moneytizer: from n/a through <= 10.0.10."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:42.864Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/the-moneytizer/vulnerability/wordpress-the-moneytizer-plugin-10-0-10-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress The Moneytizer plugin <= 10.0.10 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in lvaudore The Moneytizer the-moneytizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Moneytizer: from n/a through <= 10.0.10."}], "id": "CVE-2026-39685", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T09:16:40.403", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/the-moneytizer/vulnerability/wordpress-the-moneytizer-plugin-10-0-10-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.0.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "The Moneytizer", "source": "cna", "vendor": "lvaudore"}, "product": "the_moneytizer", "vendor": "lvaudore"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:31:46.027100+00:00", "value": {"mitigation_remediation": ["Verify which version of the Moneytizer plugin is installed on your WordPress site.", "Update the plugin to the latest version (10.0.11 or later) as soon as a patch becomes available.", "If a newer version is not available, consider temporarily disabling or uninstalling the plugin until a fix is released.", "Restrict administrator access at the WordPress level to limit who can install or update plugins.", "Monitor the plugin\u2019s security advisories and the vendor\u2019s official communication channels for patch releases."], "summary": {"action": "Immediate Update", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects WordPress sites running the Moneytizer plugin version 10.0.10 or earlier, including all releases prior to that. The plugin, developed by lvaudore, is available from the standard WordPress plugin repository. Sites that have installed this plugin and have not upgraded to a later release are at risk.", "description_and_impact": "An access control flaw in the Moneytizer plugin allows an attacker to bypass authorization checks and gain unauthorized access to restricted features, potentially exposing sensitive configuration data or allowing malicious modifications. The vulnerability is a Missing Authorization issue as defined by CWE-862. Exploitation could lead to unauthorized data disclosure or alteration, affecting the confidentiality, integrity, and availability of the WordPress site.", "risk_and_exploitability": "The CVSS score is not publicly listed, and the EPSS score is unavailable, but the presence of a documented missing authorization check indicates a high likelihood of exploitation by unauthenticated or low\u2011privilege users. The vulnerability can be triggered via standard HTTP requests to the plugin\u2019s endpoints, suggesting a remote attack vector. Since the vendor has not yet issued a patch, the risk remains significant until a later plugin version is installed. The vulnerability is not currently included in the CISA KEV catalog, but its potential impact warrants immediate attention."}}}}, "created": "2026-04-08T19:27:49.657784+00:00", "updated": "2026-04-08T19:40:35.715378+00:00", "vendors": ["lvaudore", "lvaudore$PRODUCT$the_moneytizer", "wordpress", "wordpress$PRODUCT$wordpress"]}