WordPress Plugin Vulnerabilities

Spectra < 2.19.23 - Contributor+ Missing Authorization

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on a function, allowing authenticated attackers with contributor-level access and above to perform an unauthorized action.

Affects Plugins

Plugin icon
ultimate-addons-for-gutenberg
Fixed in 2.19.23

References

CVE
CVE-2026-42648
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ce1088da-8db0-4bf5-a1ee-2121d5b9840a

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
2.7 (low)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
97db70cd-40f0-452c-8504-81efc67fc260

Timeline

Publicly Published
2026-03-27 (about 2 months ago)
Added
2026-05-08 (about 1 month ago)
Last Updated
2026-05-08 (about 1 month ago)

Other

Published
Title
Published
2026-04-07
Title
Smart Slider 3 < 3.5.1.34 - Contributor+ Slider Data Read and Image Record Manipulation
Published
2024-12-19
Title
Premium Addons for Elementor < 4.10.57 - Missing Authorization
Published
2024-12-17
Title
LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes < 7.8.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Published
2025-12-31
Title
Live Shopping & Shoppable Videos For WooCommerce <= 2.2.0 - Missing Authorization
Published
2026-05-13
Title
WPBakery Page Builder < 8.7.3 - Missing Authorization