{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39699", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:16.464Z", "datePublished": "2026-04-08T08:30:46.515Z", "dateUpdated": "2026-04-08T08:30:46.515Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ai-workflow-automation-lite", "product": "AI Workflow Automation", "vendor": "massiveshift", "versions": [{"lessThanOrEqual": "1.4.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:45.833Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in massiveshift AI Workflow Automation ai-workflow-automation-lite allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects AI Workflow Automation: from n/a through <= 1.4.2.</p>"}], "value": "Missing Authorization vulnerability in massiveshift AI Workflow Automation ai-workflow-automation-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Workflow Automation: from n/a through <= 1.4.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:46.515Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ai-workflow-automation-lite/vulnerability/wordpress-ai-workflow-automation-plugin-1-4-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress AI Workflow Automation plugin <= 1.4.2 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in massiveshift AI Workflow Automation ai-workflow-automation-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Workflow Automation: from n/a through <= 1.4.2."}], "id": "CVE-2026-39699", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T09:16:42.437", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ai-workflow-automation-lite/vulnerability/wordpress-ai-workflow-automation-plugin-1-4-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.4.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "AI Workflow Automation", "source": "cna", "vendor": "massiveshift"}, "product": "ai_workflow_automation", "vendor": "massiveshift"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:27:21.016898+00:00", "value": {"mitigation_remediation": ["Upgrade AI Workflow Automation plugin to a version newer than 1.4.2.", "Review and restrict WordPress user roles that have access to the plugin\u2019s administrative functions.", "Verify the plugin\u2019s configuration to ensure no overly permissive settings remain.", "Monitor the site for anomalous workflow activity and apply future security updates promptly."], "summary": {"action": "Upgrade", "impact": "Missing Authorization"}, "threat_synthesis": {"affected_systems": "WordPress installations that include the AI Workflow Automation (ai\u2011workflow\u2011automation\u2011lite) plugin version 1.4.2 or earlier are affected. The plugin, supplied through the WordPress plugin repository, is used to automate site workflows and is therefore present on any site that has opted to use it for task automation.", "description_and_impact": "The vulnerability is a broken access control flaw in the massiveshift AI Workflow Automation WordPress plugin. Incorrectly configured security levels allow attackers to manipulative workflow configurations and perform administrative actions, such as creating, editing, or deleting workflow rules, without the required permissions. This can lead to unauthorized changes to automated tasks and the potential injection or persistence of malicious code within the site\u2019s automation processes.", "risk_and_exploitability": "No CVSS score, EPSS value, or KEV listing is provided, limiting the publicly available severity data. Nonetheless, because the flaw involves a missing authorization check exposed through web\u2011based plugin endpoints, an attacker could likely exploit it remotely by sending privileged requests to the plugin\u2019s administrative URLs. Successful exploitation would compromise the confidentiality, integrity, or availability of the WordPress site and anyone interacting with the automated workflows. The absence of documented exploits suggests a moderate risk level, but the potential impact and ease of exploitation justify prompt action."}}}}, "created": "2026-04-08T19:27:35.872308+00:00", "updated": "2026-04-08T19:40:20.396261+00:00", "vendors": ["massiveshift", "massiveshift$PRODUCT$ai_workflow_automation", "wordpress", "wordpress$PRODUCT$wordpress"]}