CVE-2026-39569
Missing Authorization in AA Web Servant 12 Step Meeting List
Publication date: 2026-04-08
Last updated on: 2026-04-10
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | 12_step_meeting_list | to 3.19.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-39569 vulnerability is a Broken Access Control issue that allows unprivileged users to perform actions reserved for higher-privileged roles. Such unauthorized access can lead to potential exposure or manipulation of sensitive data.
While the vulnerability is considered moderate risk with a CVSS score of 6.5 and low priority impact, any unauthorized access or data breach could negatively affect compliance with common standards and regulations like GDPR or HIPAA, which require strict access controls and protection of personal or sensitive information.
Therefore, failure to patch this vulnerability could increase the risk of non-compliance due to improper access control mechanisms.
Can you explain this vulnerability to me?
The CVE-2026-39569 vulnerability is a Broken Access Control issue in the WordPress 12 Step Meeting List Plugin versions up to and including 3.19.9.
It arises from missing authorization, authentication, or nonce token checks in certain functions, which allows unprivileged users to perform actions that should be restricted to higher-privileged roles such as Contributors or Developers.
This means that the plugin does not properly enforce access control, enabling users without the necessary permissions to execute privileged operations.
How can this vulnerability impact me? :
This vulnerability can allow users with lower privileges to perform actions reserved for higher-privileged roles, potentially leading to unauthorized changes or access within the WordPress site.
Although the impact is considered low priority and exploitation is unlikely to have significant effect, such vulnerabilities are often targeted in mass-exploit campaigns affecting many websites indiscriminately.
If exploited, it could compromise the integrity of the siteβs data or functionality by allowing unauthorized modifications.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves missing authorization checks in the WordPress 12 Step Meeting List Plugin versions up to 3.19.9, allowing unprivileged users to perform actions reserved for higher-privileged roles.
To detect this vulnerability on your system, you can check the installed version of the 12 Step Meeting List plugin to see if it is version 3.19.9 or earlier.
- Use the WordPress CLI command to check the plugin version: wp plugin get 12-step-meeting-list --field=version
- Review access control configurations and logs for unauthorized actions performed by users without Contributor or Developer privileges.
No specific network commands or signatures are provided in the available resources to detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the WordPress 12 Step Meeting List plugin to version 3.19.10 or later, where the vulnerability has been patched.
Additionally, consider enabling auto-updates for the plugin to ensure timely application of future security patches.
Review and tighten access control settings to ensure that only authorized users have Contributor or Developer privileges.