{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39687", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:10.483Z", "datePublished": "2026-04-08T08:30:43.760Z", "dateUpdated": "2026-04-08T08:30:43.760Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "free-vehicle-data-uk", "product": "Rapid Car Check Vehicle Data", "vendor": "Rapid Car Check", "versions": [{"lessThanOrEqual": "2.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:43.116Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Rapid Car Check Rapid Car Check Vehicle Data free-vehicle-data-uk allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Rapid Car Check Vehicle Data: from n/a through <= 2.0.</p>"}], "value": "Missing Authorization vulnerability in Rapid Car Check Rapid Car Check Vehicle Data free-vehicle-data-uk allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rapid Car Check Vehicle Data: from n/a through <= 2.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:43.760Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/free-vehicle-data-uk/vulnerability/wordpress-rapid-car-check-vehicle-data-plugin-2-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Rapid Car Check Vehicle Data plugin <= 2.0 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Rapid Car Check Rapid Car Check Vehicle Data free-vehicle-data-uk allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rapid Car Check Vehicle Data: from n/a through <= 2.0."}], "id": "CVE-2026-39687", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T09:16:40.660", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/free-vehicle-data-uk/vulnerability/wordpress-rapid-car-check-vehicle-data-plugin-2-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Rapid Car Check Vehicle Data", "source": "cna", "vendor": "Rapid Car Check"}, "product": "rapid_car_check_vehicle_data", "vendor": "rapid_car_check"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:31:06.303899+00:00", "value": {"mitigation_remediation": ["Verify the installed version of Rapid Car Check Vehicle Data plugin.", "If the version is 2.0 or older, upgrade to the latest release where the access control checks have been fixed, as noted in the official advisory.", "If an upgrade is not immediately possible, disable the plugin or restrict its public access via WordPress user permissions or by blocking the exposed endpoints.", "Monitor the site for any unauthorized data access attempts and review logs for suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access via Broken Access Control"}, "threat_synthesis": {"affected_systems": "This issue affects the Rapid Car Check Vehicle Data plugin versions from the first release up to and including 2.0. The plugin is widely used in WordPress installations that provide automotive or vehicle information services. All sites running any of these versions are exposed to the flaw unless remedied.", "description_and_impact": "Rapid Car Check Vehicle Data plugin for WordPress suffers a missing authorization flaw that permits unauthorized users to invoke functions and retrieve vehicle data that should be protected. The vulnerability arises from improperly configured access control checks, classified as CWE-862. Attackers who can interact with the plugin\u2019s endpoints can access sensitive information or potentially modify data, thereby compromising confidentiality and integrity of the vehicle data exposed by the site.", "risk_and_exploitability": "The CVSS severity is not provided, but the nature of the flaw allows unrestricted access to protected resources; the EPSS score is unavailable, and the vulnerability is not listed in KEV. The most likely attack path is via the plugin\u2019s public endpoints that should have been gated behind authentication or role checks. Because the flaw permits direct exploitation without special credentials, the risk of exploitation is high in environments that expose the plugin to the internet."}}}}, "created": "2026-04-08T19:27:47.555148+00:00", "updated": "2026-04-08T19:40:33.476988+00:00", "vendors": ["rapid_car_check", "rapid_car_check$PRODUCT$rapid_car_check_vehicle_data", "wordpress", "wordpress$PRODUCT$wordpress"]}