CVE-2026-39605
Missing Authorization in Super Custom Login Allows Unauthorized Access
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| obadiah | super_custom_login | to 1.1 (inc) |
| patchstack | super_custom_login | to 1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the affected Super Custom Login Plugin to a version that is not vulnerable. Since no official patch is currently available, if updating is not possible, users are advised to seek assistance from their hosting provider or web developer.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves missing authorization and broken access control, which can allow unauthorized users to perform privileged actions. Such security flaws can potentially lead to unauthorized access to sensitive data or systems.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, broken access control issues generally pose risks to data confidentiality and integrity, which are critical requirements under these regulations.
Therefore, if exploited, this vulnerability could negatively impact compliance with regulations that mandate strict access controls and protection of personal or sensitive information.
Can you explain this vulnerability to me?
CVE-2026-39605 is a Broken Access Control vulnerability in the WordPress Super Custom Login Plugin versions up to and including 1.1. It involves missing authorization, authentication, or nonce token checks within certain plugin functions. This flaw allows unauthenticated users to perform actions that normally require higher privileges.
The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability allows unauthorized users to perform privileged actions without proper authentication or authorization. Although it has a CVSS severity score of 5.3, indicating a low priority and low impact threat, it can still be exploited in mass campaigns targeting many websites indiscriminately.
If exploited, it could lead to unauthorized access or changes within the affected WordPress site, potentially compromising site integrity or user data.
Currently, no official patch is available, so immediate mitigation involves updating the plugin or seeking assistance from hosting providers or web developers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves missing authorization, authentication, or nonce token checks within certain plugin functions of the Super Custom Login Plugin. Detection would typically require checking for unauthorized access attempts or unusual privilege escalations related to this plugin.
However, no specific detection commands or network signatures are provided in the available resources.