CVE-2026-25391
Missing Authorization in WP Wand AI Content Generation Plugin
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_grids | wp_wand | to 1.3.07 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25391 is a broken access control vulnerability in the WordPress WP Wand plugin versions up to and including 1.3.07. It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions.
This flaw allows users with at least Contributor or Developer privileges to perform actions that should be restricted to higher-privileged roles.
The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
Exploitation of this vulnerability could allow lower-privileged users to execute actions reserved for higher-privileged roles, potentially leading to unauthorized changes or access within the WordPress site.
However, the impact is considered low with a CVSS severity score of 5.4, and exploitation is regarded as unlikely.
No official patch is currently available, but mitigation solutions are offered through the Patchstack security platform.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability arises from missing authorization, authentication, or nonce token checks within certain plugin functions of the WP Wand plugin. Detection would involve reviewing plugin function calls for missing access control checks.'}, {'type': 'paragraph', 'content': "Since no official patch or specific detection commands are provided, detection may require manual inspection of the plugin's code or monitoring for unauthorized actions performed by users with Contributor or Developer privileges."}, {'type': 'paragraph', 'content': 'No specific network or system commands for detection are mentioned in the available resources.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
No official patch is currently available for this vulnerability.
Mitigation involves restricting user roles to limit unprivileged users (such as Contributors or Developers) from performing actions reserved for higher-privileged roles.
Patchstack offers mitigation solutions through its security platform, which may help reduce risk until an official patch is released.
Monitoring and auditing user actions within the WP Wand plugin can also help detect and prevent exploitation.