CVE-2026-39561
Received Received - Intake
Missing Authorization in WP Chill Revive.so ≀ 2.0.7 Allows Unauthorized Access

Publication date: 2026-04-08

Last updated on: 2026-04-29

Assigner: Patchstack

Description
Missing Authorization vulnerability in WP Chill Revive.so revive-so allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive.so: from n/a through <= 2.0.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39561
EUVD
EUVD-2026-20203
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
revive.so revive.so to 2.0.7 (inc)
wp_chill revive.so to 2.0.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39561 is a Broken Access Control vulnerability in the WordPress Revive.so plugin versions up to and including 2.0.7.

The vulnerability arises from missing authorization, authentication, or nonce token checks in certain plugin functions, which allows unauthenticated users to perform actions that normally require higher privileges.

It is classified under the OWASP Top 10 category A1: Broken Access Control.

Impact Analysis

This vulnerability allows unauthenticated users to perform privileged actions, potentially compromising the security of websites using the affected plugin.

However, the CVSS severity score is 5.3, indicating a low priority threat with limited impact.

Despite the low severity, it can be exploited in mass campaigns targeting many websites indiscriminately.

Users are strongly advised to update to version 2.0.8 or later of the Revive.so plugin to mitigate this risk.

Detection Guidance

CVE-2026-39561 is a Broken Access Control vulnerability in the WordPress Revive.so plugin versions up to 2.0.7, caused by missing authorization or authentication checks in certain plugin functions. Detection involves identifying if the vulnerable plugin version is installed and checking for unauthorized access attempts.

Since the vulnerability allows unauthenticated users to perform privileged actions, monitoring web server logs for suspicious requests targeting Revive.so plugin endpoints may help detect exploitation attempts.

Specific commands to detect the vulnerability are not provided in the available resources.

Mitigation Strategies

The primary mitigation step is to update the Revive.so WordPress plugin to version 2.0.8 or later, where the vulnerability has been patched.

Using automated update tools such as Patchstack can facilitate rapid deployment of the patched plugin version.

Until the update is applied, restricting access to the plugin's endpoints or disabling the plugin temporarily may reduce risk.

Compliance Impact

CVE-2026-39561 is a Broken Access Control vulnerability in the WordPress Revive.so plugin that allows unauthenticated users to perform actions requiring higher privileges due to missing authorization checks.

While the vulnerability is classified as low severity with a CVSS score of 5.3 and limited impact, broken access control issues can potentially lead to unauthorized access or modification of data.

Such unauthorized access could pose risks to compliance with standards and regulations like GDPR or HIPAA, which require strict access controls to protect personal and sensitive data.

However, the provided information does not explicitly state any direct impact or violation of these regulations caused by this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39561. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart