{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39658", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:53.260Z", "datePublished": "2026-04-08T08:30:36.675Z", "dateUpdated": "2026-04-08T08:30:36.675Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "panda-pods-repeater-field", "product": "Panda Pods Repeater Field", "vendor": "Coding Panda", "versions": [{"lessThanOrEqual": "1.5.12", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:40.141Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Coding Panda Panda Pods Repeater Field panda-pods-repeater-field allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Panda Pods Repeater Field: from n/a through <= 1.5.12.</p>"}], "value": "Missing Authorization vulnerability in Coding Panda Panda Pods Repeater Field panda-pods-repeater-field allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Panda Pods Repeater Field: from n/a through <= 1.5.12."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:36.675Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/panda-pods-repeater-field/vulnerability/wordpress-panda-pods-repeater-field-plugin-1-5-12-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Panda Pods Repeater Field plugin <= 1.5.12 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Coding Panda Panda Pods Repeater Field panda-pods-repeater-field allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Panda Pods Repeater Field: from n/a through <= 1.5.12."}], "id": "CVE-2026-39658", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:36.970", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/panda-pods-repeater-field/vulnerability/wordpress-panda-pods-repeater-field-plugin-1-5-12-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.12]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Panda Pods Repeater Field", "source": "cna", "vendor": "Coding Panda"}, "product": "panda_pods_repeater_field", "vendor": "coding_panda"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:04:12.427808+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest version of the Panda Pods Repeater Field plugin (>=\u202f1.5.13) to eliminate the missing authorization logic.", "Ensure that role\u2011based permissions for the plugin are correctly configured and that only trusted administrators can create or modify pod data.", "If an update is not possible, deactivate or remove the plugin from the site to prevent unauthorized access.", "Monitor WordPress logs for unexpected activity associated with pod data modifications.", "Apply network\u2011level restrictions or web application firewall rules to block suspicious requests to the plugin\u2019s endpoints."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The issue affects the Coding Panda Panda Pods Repeater Field WordPress plugin in all releases from the known starting point through version\u202f1.5.12. Any site that has the plugin installed and operating on a version no newer than 1.5.12 is vulnerable. The plugin is commonly used in WordPress installations under the vendor Coding Panda.", "description_and_impact": "The vulnerability is a missing authorization check that allows an attacker to bypass normal access controls within the Panda Pods Repeater Field plugin. Because the plugin does not enforce permissions on its API endpoints, an authenticated or unauthenticated user may create, modify, or delete pod data and other sensitive content. This can lead to data corruption, disclosure, or unauthorized changes to site content, satisfying CWE\u2011862, Missing Authorization. The impact is the potential for unauthorized manipulation of WordPress content and associated data.", "risk_and_exploitability": "The CVSS score is not provided, and EPSS information is unavailable, so the precise severity cannot be quantified. However, because the flaw permits bypassing access controls, it presents a high risk of privilege escalation and data tampering. The lack of an official KEV listing suggests no known exploited instances yet, but the absence of safeguards makes exploitation straightforward once the vulnerability is discovered. The likely attack path would involve sending crafted HTTP requests to the plugin\u2019s exposed endpoints with credentials or through cross\u2011site request forgery techniques."}}}}, "created": "2026-04-08T19:28:15.059796+00:00", "updated": "2026-04-08T19:41:18.048819+00:00", "vendors": ["coding_panda", "coding_panda$PRODUCT$panda_pods_repeater_field", "wordpress", "wordpress$PRODUCT$wordpress"]}