CVE-2026-39605
Received Received - Intake
Missing Authorization in Super Custom Login Allows Unauthorized Access

Publication date: 2026-04-08

Last updated on: 2026-04-29

Assigner: Patchstack

Description
Missing Authorization vulnerability in Obadiah Super Custom Login super-custom-login allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Custom Login: from n/a through <= 1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39605
EUVD
EUVD-2026-20236
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
obadiah super_custom_login to 1.1 (inc)
patchstack super_custom_login to 1.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation involves updating the affected Super Custom Login Plugin to a version that is not vulnerable. Since no official patch is currently available, if updating is not possible, users are advised to seek assistance from their hosting provider or web developer.

Executive Summary

CVE-2026-39605 is a Broken Access Control vulnerability in the WordPress Super Custom Login Plugin versions up to and including 1.1. It involves missing authorization, authentication, or nonce token checks within certain plugin functions. This flaw allows unauthenticated users to perform actions that normally require higher privileges.

The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.

Impact Analysis

This vulnerability allows unauthorized users to perform privileged actions without proper authentication or authorization. Although it has a CVSS severity score of 5.3, indicating a low priority and low impact threat, it can still be exploited in mass campaigns targeting many websites indiscriminately.

If exploited, it could lead to unauthorized access or changes within the affected WordPress site, potentially compromising site integrity or user data.

Currently, no official patch is available, so immediate mitigation involves updating the plugin or seeking assistance from hosting providers or web developers.

Detection Guidance

The vulnerability involves missing authorization, authentication, or nonce token checks within certain plugin functions of the Super Custom Login Plugin. Detection would typically require checking for unauthorized access attempts or unusual privilege escalations related to this plugin.

However, no specific detection commands or network signatures are provided in the available resources.

Compliance Impact

The vulnerability involves missing authorization and broken access control, which can allow unauthorized users to perform privileged actions. Such security flaws can potentially lead to unauthorized access to sensitive data or systems.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, broken access control issues generally pose risks to data confidentiality and integrity, which are critical requirements under these regulations.

Therefore, if exploited, this vulnerability could negatively impact compliance with regulations that mandate strict access controls and protection of personal or sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39605. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart