CVE-2026-39585
Missing Authorization in Arraytics Booktics β€1.0.16 Enables Unauthorized Access
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arraytics | booktics | to 1.0.16 (inc) |
| patchstack | booktics | to 1.0.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39585 is a Broken Access Control vulnerability in the WordPress Booktics Plugin versions up to and including 1.0.16.
This vulnerability occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions.
As a result, unauthenticated users can perform actions that should be restricted to higher-privileged users.
It is classified under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated users to perform privileged actions within the Booktics plugin, potentially compromising the security of the affected WordPress site.
Although the CVSS severity score is 5.3, indicating a low priority threat with limited impact, exploitation could still lead to unauthorized access or changes.
The vulnerability requires no prior authentication, which increases its potential risk.
However, the low severity suggests that exploitation is unlikely to cause significant damage.
Users are advised to update to version 1.0.17 or later to mitigate this risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves missing authorization checks in the WordPress Booktics Plugin versions up to 1.0.16, allowing unauthenticated users to perform privileged actions.
Detection would involve checking if the vulnerable plugin version is installed on your WordPress site.
You can detect the presence of the vulnerable plugin version by running commands to check the plugin version, for example:
- Using WP-CLI: wp plugin list | grep booktics
- Manually checking the plugin version in the WordPress admin dashboard under Plugins.
Network detection of exploitation attempts is difficult due to the nature of the vulnerability (missing authorization), but monitoring HTTP requests for suspicious access to Booktics plugin endpoints without authentication may help.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Booktics plugin to version 1.0.17 or later, where the vulnerability has been patched.
If immediate updating is not possible, consider disabling the Booktics plugin temporarily to prevent exploitation.
Additionally, implementing strict access controls and monitoring for unauthorized access attempts to the plugin's functions can help reduce risk.
Using services like Patchstack's auto-update and mitigation tools can also assist in managing this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Broken Access Control issue that allows unauthenticated users to perform actions reserved for higher-privileged users. Such unauthorized access can lead to exposure or manipulation of sensitive data, which may impact compliance with standards like GDPR and HIPAA that require strict access controls and protection of personal and health information.
Although the CVSS severity score is low (5.3), the missing authorization checks could potentially result in unauthorized data access or modification, thereby violating regulatory requirements for data confidentiality and integrity.
Mitigating this vulnerability by updating to the patched version (1.0.17 or later) is important to maintain compliance with these standards.