{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39688", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:10.483Z", "datePublished": "2026-04-08T08:30:44.046Z", "dateUpdated": "2026-04-08T14:39:13.536Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-front-end-profile", "product": "WP Frontend Profile", "vendor": "Glowlogix", "versions": [{"lessThanOrEqual": "1.3.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:43.342Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Glowlogix WP Frontend Profile wp-front-end-profile allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Frontend Profile: from n/a through <= 1.3.9.</p>"}], "value": "Missing Authorization vulnerability in Glowlogix WP Frontend Profile wp-front-end-profile allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Frontend Profile: from n/a through <= 1.3.9."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:44.046Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-front-end-profile/vulnerability/wordpress-wp-frontend-profile-plugin-1-3-9-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Frontend Profile plugin <= 1.3.9 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:39:05.970541Z", "id": "CVE-2026-39688", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:39:13.536Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39688", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:39:05.970541Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:38:56.554Z"}}], "cna": {"title": "WordPress WP Frontend Profile plugin <= 1.3.9 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Glowlogix", "product": "WP Frontend Profile", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.3.9"}], "packageName": "wp-front-end-profile", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:43.342Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-front-end-profile/vulnerability/wordpress-wp-frontend-profile-plugin-1-3-9-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Glowlogix WP Frontend Profile wp-front-end-profile allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Frontend Profile: from n/a through <= 1.3.9.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Glowlogix WP Frontend Profile wp-front-end-profile allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Frontend Profile: from n/a through <= 1.3.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:44.046Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39688", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:39:13.536Z", "dateReserved": "2026-04-07T10:58:10.483Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:44.046Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Glowlogix WP Frontend Profile wp-front-end-profile allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Frontend Profile: from n/a through <= 1.3.9."}], "id": "CVE-2026-39688", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:40.790", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-front-end-profile/vulnerability/wordpress-wp-frontend-profile-plugin-1-3-9-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.3.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WP Frontend Profile", "source": "cna", "vendor": "Glowlogix"}, "product": "wp_frontend_profile", "vendor": "glowlogix"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T16:25:57.610162+00:00", "value": {"mitigation_remediation": ["Update the WP Frontend Profile plugin to version 1.4.0 or later, if available, following the vendor's release notes.", "Disable or remove the WP Frontend Profile plugin from the WordPress installation if a newer version cannot be obtained.", "Review the WordPress user roles and capabilities to ensure no unintended permissions are granted to the plugin.", "Monitor site activity logs for anomalous access or configuration changes that might indicate exploitation attempts.", "Keep other WordPress core files and plugins updated to reduce the overall attack surface."], "summary": {"action": "Apply Patch", "impact": "Access Control Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Glowlogix WP Frontend Profile plugin released for WordPress. All installations using version 1.3.9 or earlier are vulnerable. No other product versions are specified as affected in the public disclosure.", "description_and_impact": "The WP Frontend Profile plugin (versions up to 1.3.9) contains a missing authorization flaw that lets attackers bypass the plugin\u2019s access control checks. When exploited, a user without sufficient privileges can gain unauthorized access to protected areas of the WordPress site, potentially reading or modifying sensitive user data. The weakness is classified as CWE-862, indicating an incorrect authorization mechanism.", "risk_and_exploitability": "The CVSS score of 5.3 highlights a medium severity risk. The EPSS score is less than 1%, suggesting the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. The active attack vector is likely a web-based request that a site administrator or privileged user could run, though the description does not explicitly state remote code execution or other advanced capabilities; the inferred attack scenario involves unauthenticated or low-privilege users sending crafted requests to obtain elevated access. Because of the moderate CVSS rating and low EPSS, the risk is considered moderate, but patching is recommended to eliminate the access control bypass."}}}}, "created": "2026-04-08T19:27:46.487443+00:00", "updated": "2026-04-08T19:40:32.343605+00:00", "vendors": ["glowlogix", "glowlogix$PRODUCT$wp_frontend_profile", "wordpress", "wordpress$PRODUCT$wordpress"]}