CVE-2026-39592
Missing Authorization in DEPART Plugin Allows Unauthorized Access
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| andy_ha | depart_deposit_and_part_payment_for_woo | to 1.0.7 (inc) |
| villatheme | depart-deposit-and-part-payment-for-woo | to 1.0.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39592 is a Broken Access Control vulnerability in the WordPress DEPART Plugin versions up to and including 1.0.7. It is caused by missing authorization, authentication, or nonce token checks within certain plugin functions.
This flaw allows unprivileged users, such as those with Subscriber or Developer roles, to perform actions that should be restricted to higher privilege levels.
The vulnerability is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS score of 4.3, indicating low severity.
How can this vulnerability impact me? :
This vulnerability can allow unprivileged users to perform unauthorized actions within the affected WordPress plugin, potentially leading to unauthorized changes or access.
Although the impact is considered low and exploitation is unlikely, attackers could leverage this flaw in mass-exploit campaigns targeting many websites indiscriminately.
Users of the plugin are strongly advised to update to version 1.0.8 or later to mitigate the risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization, authentication, or nonce token checks within certain plugin functions, allowing low-privilege users to perform restricted actions.
To detect exploitation attempts on your system, you can monitor for unusual activity from users with Subscriber or Developer roles attempting to access or modify functions reserved for higher privilege levels.
Specific detection commands are not provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the DEPART plugin to version 1.0.8 or later, where the vulnerability has been patched.
Additionally, consider using Patchstack mitigation services which include auto-updates for vulnerable plugins.
Restricting user roles and privileges to the minimum necessary can also reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.