{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39713", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:29.177Z", "datePublished": "2026-04-08T08:30:49.120Z", "dateUpdated": "2026-04-08T08:30:49.120Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "mailercloud-integrate-webforms-synchronize-contacts", "product": "Mailercloud &#8211; Integrate webforms and synchronize website contacts", "vendor": "mailercloud", "versions": [{"lessThanOrEqual": "1.0.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:45.389Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in mailercloud Mailercloud &#8211; Integrate webforms and synchronize website contacts mailercloud-integrate-webforms-synchronize-contacts allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Mailercloud &#8211; Integrate webforms and synchronize website contacts: from n/a through <= 1.0.7.</p>"}], "value": "Missing Authorization vulnerability in mailercloud Mailercloud &#8211; Integrate webforms and synchronize website contacts mailercloud-integrate-webforms-synchronize-contacts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mailercloud &#8211; Integrate webforms and synchronize website contacts: from n/a through <= 1.0.7."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:49.120Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/mailercloud-integrate-webforms-synchronize-contacts/vulnerability/wordpress-mailercloud-integrate-webforms-and-synchronize-website-contacts-plugin-1-0-7-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Mailercloud \u2013 Integrate webforms and synchronize website contacts plugin <= 1.0.7 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in mailercloud Mailercloud &#8211; Integrate webforms and synchronize website contacts mailercloud-integrate-webforms-synchronize-contacts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mailercloud &#8211; Integrate webforms and synchronize website contacts: from n/a through <= 1.0.7."}], "id": "CVE-2026-39713", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T09:16:44.267", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/mailercloud-integrate-webforms-synchronize-contacts/vulnerability/wordpress-mailercloud-integrate-webforms-and-synchronize-website-contacts-plugin-1-0-7-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Mailercloud &#8211; Integrate webforms and synchronize website contacts", "source": "cna", "vendor": "mailercloud"}, "product": "mailercloud_&#8211;_integrate_webforms_and_synchronize_website_contacts", "vendor": "mailercloud"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:41:09.824605+00:00", "value": {"mitigation_remediation": ["Upgrade the Mailercloud plugin to a version newer than 1.0.7.", "If an upgrade is not possible, delete or uninstall the plugin entirely.", "Verify that no residual plugin files remain on the server after removal.", "Review WordPress user roles and permissions to ensure least\u2011privilege access.", "Monitor site logs for suspicious access patterns."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Mailercloud \u2013 Integrate webforms and synchronize website contacts plugin in all releases up to and including version 1.0.7.", "description_and_impact": "Missing authorization in the Mailercloud \u2013 Integrate webforms and synchronize website contacts plugin allows attackers to use endpoints that should be restricted to privileged users, enabling unauthorized modifications or disclosure of contact data.", "risk_and_exploitability": "Because the plugin omits proper authorization checks, an attacker with any access to the WordPress site can issue requests to privileged API endpoints and gain the same capabilities as an administrator for contact data. The flaw can be exploited entirely via the web interface without additional system compromise. Although no CVSS or EPSS metrics are published, the possibility of full unauthorized data access and modification makes the risk high, warranting immediate attention."}}}}, "created": "2026-04-08T19:27:23.705414+00:00", "updated": "2026-04-08T19:40:04.208358+00:00", "vendors": ["mailercloud", "mailercloud$PRODUCT$mailercloud_&#8211;_integrate_webforms_and_synchronize_website_contacts", "wordpress", "wordpress$PRODUCT$wordpress"]}