Executive Summary

CVE-2026-39680 is a Broken Access Control vulnerability in the WordPress Diet Calorie Calculator Plugin versions up to and including 1.1.1.

This vulnerability arises from missing authorization, authentication, or nonce token checks, which allows unauthenticated users to perform actions that should be restricted to higher privileged users.

It is classified as an OWASP Top 10 A1 issue and requires no privileges to exploit.

Useful 0 Not Useful 0

Compliance Impact

The CVE-2026-39680 vulnerability is a Broken Access Control issue that allows unauthenticated users to perform actions reserved for higher privileged users due to missing authorization checks.

Such unauthorized access could potentially lead to unauthorized data exposure or modification, which may impact compliance with standards and regulations like GDPR or HIPAA that require strict access controls to protect personal and sensitive data.

However, the provided information does not explicitly state the direct effects on compliance with these regulations.

Useful 0 Not Useful 0

Detection Guidance

The CVE-2026-39680 vulnerability is a Broken Access Control issue in the WordPress Diet Calorie Calculator Plugin up to version 1.1.1, allowing unauthenticated users to perform privileged actions. Detection involves checking if the vulnerable plugin version is installed and monitoring for unauthorized access attempts.

To detect this vulnerability on your system, you can first verify the plugin version installed on your WordPress site by running commands to list installed plugins and their versions.

• Use WP-CLI to check the plugin version: `wp plugin list | grep diet-calorie-calculator`
• Inspect web server logs for suspicious unauthenticated requests attempting to access or modify plugin functionality.
• Use network monitoring tools to detect unusual HTTP requests targeting the Diet Calorie Calculator plugin endpoints.

Since the vulnerability allows unauthenticated exploitation, monitoring for unexpected POST or GET requests to plugin-specific URLs without proper authorization can help identify exploitation attempts.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated users to perform privileged actions on affected websites using the Diet Calorie Calculator Plugin.

Although the CVSS score is 5.3 indicating low severity, it can be exploited in mass-exploit campaigns targeting many websites indiscriminately.

If exploited, it could lead to unauthorized changes or access within the plugin's functionality, potentially compromising site integrity or user data.

Immediate mitigation involves updating the plugin or seeking assistance from hosting providers or web developers.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation involves updating the affected Diet Calorie Calculator plugin to a fixed version if available.

If updating is not possible, users are advised to seek assistance from their hosting provider or web developer to implement protective measures.

Since no official patch is currently available, rapid mitigation services from Patchstack may be considered.

Useful 0 Not Useful 0